hi and welcome to everyday digital forensics. I'm your host to send you son and in today's macho will be going over image analysis. This is the final manager, of course,
and in today's video, it's more of Justin or of you.
in today's video is just an overview previously discussed in and of course thus far.
How are these topics are relevant to the analysis process? So I felt it was important just to kind of do a brief refresh.
However, you are Welcome to skits. The next video,
one of the use cases for performing a digital investigation.
There many reasons an investigator will use a digital forensics technique. A lot of them could be the retrieval of deleted or hidden file. The examination of a file before you executed
some of your network traffic analysis. Reviewing file metadata This is a very important portion of a file that stores so much information that even ah penetration
attacker or an examiner uses in their day to day.
Being able to determine the make and model of a photo based on the device is another use for a digital forensics.
We also have our mobile devices at an application. There's so many other methods that weren't discussed here.
Some general guidelines around forensic analysis Your first and former step is preservation. We want to avoid our analysis from from performing any modifications of the data
that is teamed and evidence.
So you want to make a copy of the original image,
put the original in a safe location and only work off of the copy during this whole portion and your analysis. Keeping track on calculating your hash values For the image. Clinton, the original Justin Verify the integrity of the image
using a right blocking device during your accusation and your analysis will reduce your chances off modifying your evidence
as well as if you're doing a live accusation
or even alive analysis. You want to minimize the number files that your create as well as open
You want to isolate your analysis environment from both the suspect environment and the outside world. This is to prevent any threat from actually reaching out of your network out of your workstation and potentially
compromising other systems
we have. Correlation is to reduce the risk of forged data connecting different data sources with independent sources just to kind of create
and prove I heart purposes
Logging and documenting your efforts.
What? You surged, how long it took when you got the evidence, stated the evidence. Your hash bodies when you got the image when you finished, all this information should be logged and documented for your reports.
So your window vet logs is a very useful, detailed records about the system, the security and your application notifications that are stored within a Windows operating system
based on your operating system. You'll go to a stern directory to see these files. Your logs typically contain data the events a time, a user, ah, computer and events, I D of source and a type that can range from information warning, air
security, audit or security failure. Thes air all filter herbal within the windows of that Locke. And it's easy to search through to find an event or information by a user.
And this could be used
in your investigation to determine ah particular event or execution of a file,
or even access to your Windows machine.
Now you have your Web browser data. Your Web browser actually stores most
and recorded data about a user
a Web browsers data can define the personality of a user. You have your searches. You have her emails, blog's social media accounts, news articles that a person's spread or even seen their whole shopping. Think of everything that you do on a Web browser stay today.
And if someone, if a psychologist would take that kind of information, they will be able to create kind of a profile. Understand? You are This is what an examiner does. This is what also hacker does is defined that vulnerability spot to kind of penetrate you. So is the forensics examiner. You want to look through all this and see if, if you're looking at the servers I was compromised.
Was there a Web link that was quick that it potentially downloaded a file?
If you're trying to understand the suspect,
then you'll be looking at their search engines that they search for particular methods that was used in the crime that they send out emails that are linked to the crime. So sense of Web browser holds many purposes. This could actually be used
so a Web browser data file. It is a very important location to look at, especially from the perspective of an example.
Window artifacts is another important area to look before the analysis off. These files demonstrate evidence in files that are downloaded
programs that are executed. Fires are open or created that potentially work clothes have a stored temp file for them.
You have you delete a file or found knowledge,
physical location of the device or the user. The same GPS was turned on. We have a pinpoint.
We have USB and drive usage as well as count and browser usage.
Some of the open source tools that could be used for analysis is your autopsy.
This is your guru in of the CLI version of autopsy is the Sleuth kit. You have wear a shark for your network analysis, or you can use T shirt for a command line.
You have a VM where or your virtual box for being able to create your own virtual images in the event you want to use something such as Cali and the next to perform and further forensics or examination your USB or your hard drive right. Baqer
and your abdicate imager are all just open source tools
that are available on the Web for you to use, depending on your use case.
So I hope you enjoyed today's episode. Like I said, this was just an overview of topics that have already been discussed, such as you general guidelines for forensic analysis,
talking about Windows event logs on the usefulness of those data sources,
your Web browser, data files and how this is useful for an examiner or even attacker Web artifacts and some open source tools.
In future videos, you're gonna see examination off
an image using after King imager using the image forensics capstone Mad that we performed in a previous module. We're gonna go ahead and review a malicious file
and dive deeper into the Sina graphic process.
Hope you enjoyed today's episode and now catch of the next one.