Forensics Concepts

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Forensics concepts.
00:00
The learning objectives for this lesson are to
00:00
explore the legal issues surrounding data forensics,
00:00
to define the forensics process,
00:00
and to describe data integrity and preservation.
00:00
Let's get started. First, we're
00:00
going go over the forensics process.
00:00
The first step is identification.
00:00
We're going to ensure that our crime scene is
00:00
secure so that we can prevent evidence contamination.
00:00
Then we're going to identify
00:00
the scope of evidence to be collected.
00:00
In an example, we've been asked to come over to
00:00
a workstation and an office
00:00
that has been suspected to be used in a crime.
00:00
The first thing we're going to make sure is
00:00
that no one can get access to
00:00
that workstation so that it's not turned off,
00:00
changes aren't being made, that type of thing.
00:00
Also, we want to see are any devices connected to
00:00
the computer or are
00:00
flash drives plugged in mobile devices.
00:00
All of this would be within our scope so that
00:00
we're sure that we're collecting everything.
00:00
Then the next step is collection.
00:00
We will make sure that the evidence is collected using
00:00
tools and methods that will survive legal scrutiny.
00:00
If this part isn't done correctly,
00:00
then everything else doesn't matter.
00:00
Because if it will not survive legal scrutiny,
00:00
then your case is going to get thrown out.
00:00
We move to analysis.
00:00
This is where we are creating
00:00
a forensics copy for us to do our analysis on.
00:00
We never do our analysis on the direct data.
00:00
We want to make sure we're using a copy for that.
00:00
Then we're going to use repeatable methods and tools.
00:00
This will also help us to survive legal scrutiny.
00:00
Then we will go to the reporting and presentations phase.
00:00
This is where we create a report of
00:00
all the methods and tools that we used and then we
00:00
present all the findings and
00:00
our conclusions. Chain of custody.
00:00
This is a critical part of any forensics analysis,
00:00
not just for computer or IT related.
00:00
This is a record of evidence
00:00
handling from the collection,
00:00
all the way through its presentation in court,
00:00
who touched it, who did anything with it.
00:00
Every detail is recorded.
00:00
Who interacted with the evidence and what they did,
00:00
it's a detailed report and
00:00
labeling of all evidence collected.
00:00
Strong physical controls should
00:00
be in place where evidence is stored.
00:00
You've heard stories of police evidence locker as
00:00
being not necessarily secured and because of that.
00:00
The evidence in there became
00:00
contaminated and cases where thrown out?
00:00
Same type of thing here.
00:00
We want to make sure that all of
00:00
our evidence is collected and then stored
00:00
in a safe way so that we
00:00
can maintain the chain of custody.
00:00
Data acquisition. This is the process of collecting
00:00
forensically clean copies of
00:00
all data so that we can use it as evidence.
00:00
We're going to work from the most
00:00
volatile to the least volatile.
00:00
The ISOC best practices say,
00:00
to start with the CPU registers and the cache memory,
00:00
this being the most volatile.
00:00
Then we go down to the contents of the system memory.
00:00
After that, we go to the data that's
00:00
our mass storage devices such as hard drives.
00:00
Then we will look at remote logging and monitoring data.
00:00
After that, we will move down to
00:00
the physical configuration and the network topology.
00:00
Then finally, we will move to the archival media because
00:00
this is the least volatile of all the evidence.
00:00
Cryptanalysis and steganalysis.
00:00
Cryptanalysis is the art of breaking encryption.
00:00
In certain situations, this may be
00:00
a requirement if collected data is encrypted.
00:00
Now, typically, this is going to be beyond
00:00
the scope of most companies' evidence response teams.
00:00
Even at the state level,
00:00
this is going to become a difficulty for law enforcement.
00:00
You've seen in the news, where
00:00
the FBI often has issues getting
00:00
into Apple iOS devices because of the encryption.
00:00
I cannot imagine very many times
00:00
for a corporation or a company issue
00:00
where this is going to become
00:00
something that you're expected to do.
00:00
Then steganalysis is concerned with
00:00
locating data that may be hidden within and other files.
00:00
We can often hide documents
00:00
inside of picture files using steganography.
00:00
We're going to use different tools and help to see if
00:00
the files that we've collected
00:00
are containing any other types of data.
00:00
This is something I can see that would be necessary
00:00
in almost anyone's investigation.
00:00
You would want to use tools that will
00:00
scan through the files to find
00:00
out if they're hiding any other pieces of information.
00:00
Forensics image versus forensics clone.
00:00
Both of these represent duplicates of
00:00
electronic media and they're done bit by bit.
00:00
An image can be used for analysis.
00:00
A clone is a working copy that is not preserved.
00:00
These terms are often used interchangeably,
00:00
but one thing to keep in mind is that the clone is
00:00
the one we're doing our work on
00:00
and it's not going to be preserved.
00:00
We will be making changes to that,
00:00
but we can figure out what we're looking for and
00:00
we always have the original
00:00
forensics image to go back to.
00:00
Evidence preservation.
00:00
Everything collected has to be labeled and
00:00
bagged and then sealed in tamper resistant bags.
00:00
If there is a possibility that
00:00
electrostatic discharge will damage different devices,
00:00
then those pieces of evidence
00:00
should be placed in anti-static shielded bags.
00:00
This would be especially important for sensitive drives,
00:00
sensitive devices,
00:00
sometimes even flash drives if
00:00
you're really concerned with what's on there.
00:00
Evidence should be stored in
00:00
secure facilities that are access control.
00:00
This is what I was referring to earlier,
00:00
that you need to have the evidence locked away.
00:00
Let's summarize. We went over
00:00
the forensics process and then the chain of evidence.
00:00
We also discussed the difference between
00:00
a forensics image and a forensic clone.
00:00
We discussed cryptanalysis and
00:00
steganalysis in the evidence preservation.
00:00
Let's do some example questions.
00:00
Question 1, this describes
00:00
the process of maintaining evidence from
00:00
collection to presenting it in court. Chain of custody.
00:00
Question 2, true or false.
00:00
Hard drive data should be collected before system memory.
00:00
False. System memory is
00:00
more volatile and should be collected first.
00:00
Question 3, true or false.
00:00
A forensics image isn't
00:00
preserved and is used for working.
00:00
False. A forensics clone
00:00
is a working copy that isn't preserved.
00:00
Finally, question 4,
00:00
this describes looking for
00:00
hidden data inside of other files.
00:00
Steganalysis. I hope this lesson was very
00:00
helpful for you and gave you
00:00
a good idea of the forensics process.
00:00
I'll see you in the next lesson.
Up Next