Image Analysis

00:00

hi and welcome to everyday digital forensics. I'm your host to send you son and in today's macho will be going over image analysis. This is the final manager, of course,

00:10

and in today's video, it's more of Justin or of you.

00:13

The topics

00:15

in today's video is just an overview previously discussed in and of course thus far.

00:21

How are these topics are relevant to the analysis process? So I felt it was important just to kind of do a brief refresh.

00:29

However, you are Welcome to skits. The next video,

00:33

one of the use cases for performing a digital investigation.

00:39

There many reasons an investigator will use a digital forensics technique. A lot of them could be the retrieval of deleted or hidden file. The examination of a file before you executed

00:50

some of your network traffic analysis. Reviewing file metadata This is a very important portion of a file that stores so much information that even ah penetration

01:00

attacker or an examiner uses in their day to day.

01:06

Being able to determine the make and model of a photo based on the device is another use for a digital forensics.

01:12

We also have our mobile devices at an application. There's so many other methods that weren't discussed here.

01:21

Some general guidelines around forensic analysis Your first and former step is preservation. We want to avoid our analysis from from performing any modifications of the data

01:32

that is teamed and evidence.

01:34

So you want to make a copy of the original image,

01:38

put the original in a safe location and only work off of the copy during this whole portion and your analysis. Keeping track on calculating your hash values For the image. Clinton, the original Justin Verify the integrity of the image

01:53

using a right blocking device during your accusation and your analysis will reduce your chances off modifying your evidence

02:01

as well as if you're doing a live accusation

02:05

or even alive analysis. You want to minimize the number files that your create as well as open

02:10

during this time.

02:13

You want to isolate your analysis environment from both the suspect environment and the outside world. This is to prevent any threat from actually reaching out of your network out of your workstation and potentially

02:24

compromising other systems

02:27

we have. Correlation is to reduce the risk of forged data connecting different data sources with independent sources just to kind of create

02:35

and prove I heart purposes

02:38

and documentation.

02:38

Logging and documenting your efforts.

02:42

What? You surged, how long it took when you got the evidence, stated the evidence. Your hash bodies when you got the image when you finished, all this information should be logged and documented for your reports.

02:53

So your window vet logs is a very useful, detailed records about the system, the security and your application notifications that are stored within a Windows operating system

03:06

based on your operating system. You'll go to a stern directory to see these files. Your logs typically contain data the events a time, a user, ah, computer and events, I D of source and a type that can range from information warning, air

03:21

security, audit or security failure. Thes air all filter herbal within the windows of that Locke. And it's easy to search through to find an event or information by a user.

03:31

And this could be used

03:34

in your investigation to determine ah particular event or execution of a file,

03:38

or even access to your Windows machine.

03:43

Now you have your Web browser data. Your Web browser actually stores most

03:46

and recorded data about a user

03:49

a Web browsers data can define the personality of a user. You have your searches. You have her emails, blog's social media accounts, news articles that a person's spread or even seen their whole shopping. Think of everything that you do on a Web browser stay today.

04:05

And if someone, if a psychologist would take that kind of information, they will be able to create kind of a profile. Understand? You are This is what an examiner does. This is what also hacker does is defined that vulnerability spot to kind of penetrate you. So is the forensics examiner. You want to look through all this and see if, if you're looking at the servers I was compromised.

04:26

Was there a Web link that was quick that it potentially downloaded a file?

04:30

If you're trying to understand the suspect,

04:33

then you'll be looking at their search engines that they search for particular methods that was used in the crime that they send out emails that are linked to the crime. So sense of Web browser holds many purposes. This could actually be used

04:49

against the user,

04:50

so a Web browser data file. It is a very important location to look at, especially from the perspective of an example.

05:00

Window artifacts is another important area to look before the analysis off. These files demonstrate evidence in files that are downloaded

05:09

programs that are executed. Fires are open or created that potentially work clothes have a stored temp file for them.

05:15

You have you delete a file or found knowledge,

05:18

physical location of the device or the user. The same GPS was turned on. We have a pinpoint.

05:26

We have USB and drive usage as well as count and browser usage.

05:30

Some of the open source tools that could be used for analysis is your autopsy.

05:35

This is your guru in of the CLI version of autopsy is the Sleuth kit. You have wear a shark for your network analysis, or you can use T shirt for a command line.

05:46

You have a VM where or your virtual box for being able to create your own virtual images in the event you want to use something such as Cali and the next to perform and further forensics or examination your USB or your hard drive right. Baqer

06:00

and your abdicate imager are all just open source tools

06:04

that are available on the Web for you to use, depending on your use case.

06:11

So I hope you enjoyed today's episode. Like I said, this was just an overview of topics that have already been discussed, such as you general guidelines for forensic analysis,

06:18

talking about Windows event logs on the usefulness of those data sources,

06:23

your Web browser, data files and how this is useful for an examiner or even attacker Web artifacts and some open source tools.

06:31

In future videos, you're gonna see examination off

06:36

an image using after King imager using the image forensics capstone Mad that we performed in a previous module. We're gonna go ahead and review a malicious file

06:45

and dive deeper into the Sina graphic process.