Investigation Process

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

4 hours
Video Transcription
hi and welcome to everything he did. Your forensics. I'm your host just saying, he said. And in today's mantra of digital discovery, we're gonna go over earthy investigation process.
So first and foremost, what is did your forensics?
So did your friend. Six is a process where we develop and test hypothesis that answers questions about a digital vet. This is done using the scientific method where we develop hypothesis using our evidence that we find and then test the hypothesis for looking for additional evidence that shows the hypothesis is impossible.
So what is this all me? So, using the scientific method, we come up with a hypothesis based on our initial evidence, so the crime scene will be suspect.
And then, from there, we dive into the evidence and start showing correlations between the evidence to define that are her prosthesis and is impossible proving that are her prosthesis impossible can then in fact, prove that it is possible.
So what is did your investigation?
The main purpose of the investigation is using some type of digital evidence as they're involved in an incident or a crime.
The device could be involved in a physical crime or executed a malicious digital event,
so some examples of this would be conducting research about a physical crime. So we found on the suspects machine that he had been researching how to properly dig a grave or finding different material that could be used for crime. That he is suspected of doing.
Another example is unauthorized access to a machine.
This isn't a case of students that found that their grades have changed. On investigating the professor's machine. They saw remote desktop protocol invoked within the logs that showed that the professor's laptop was access via one of the computer labs machines
in the computer lab machine at the time of the crime they saw. Eventually, that student had
in fact signed in through that desktop and executed the Rdp program. Using these evidence can correlate and let an investigator know that these crimes were conducted. So when handling the suspects of eyes on a crime scene, what should be documented?
There's a long list of items that should be documented. This is just kind of a starting point. The state of the device should be documented whether the device was live or dead,
so live device would be a machine that was left on dead would be a machine that was shut down
if the machine was on a definition of number of processes that were running
any open and accessible applications. So there's a difference between number of processes, and some of the processes can run in the background. We want to see the actual applications are open. What tabs Air open. What what browser was open? What that they Microsoft Office Suites for open, of course, the imaging process that
was done. So what tour? What devices was used to image
the suspects device. The hash values recorded at the final state of imaging
volatile memory that was acquired full time memory is more of your RAM memory memory that constantly moves, such as network trafficking,
the location, the device where the position of the device was. Was it in the suspect's car? Was it on their desk? The make and model of each device, including his condition that this laptop looked like it was kind of beat up, was in a new your motto was an older model taking a photo off the desktop? The device in question
kind of just preserving the state of the machine before it's touched.
And then there may be other items that were left off this list or just overlooked.
So the purpose of today's lecture is to go over some of core concepts that digital forensics investigation process.
We'll also review general guidelines in the forensics process. We'll get a clear understanding of the classifications of the C. I. A. Is security model. Now. This is not the CIA. As the Central Intelligence Agency, this is a different type of CIA, and we'll get into that. So did your forensics investigation what the investigation process looks like.
So, first and foremost, we have the identification process. This is in which we identify the different types of evidence and whether or not the relevant to the case. So we go into the suspect's home
and we see
a modem. We see a laptop, we see a cell phone or printer, all these different items, and we determine which of these
well hold evidence for us. We validate that all the evidence is available in functional out of all the items that at list the cell phone may have been beat up. It may be a very old phone that no longer turns on. It looks as if hardware and parts were taken out. There is no functionality of that device, and there's no information that we can pull from that
that's done about it. Evidence that we can use
and then verifying the integrity of the forensic device we want assure that the
image on the information that we actually
review is in the state at which we retrieved the information.
The next step is preservation. We preserve the state of the digital crime,
so we want to reduce the amount of evidence that may be overridden. That maybe opens when we're in the process of occurred. In her image of our digital evidence, we want to duplicate copies of the image so you'll create your first image of the device. Then you make a copy of the original,
put away the original image and just work off the copy. In the event you need an additional image because the one that you worked on with Miss Trader Dinner mishandled, you can go ahead and use the original copy to make make a copy of that and continue your work in those steps that just mentioned it preserves the state of the digital crime because you're not working off with the original copy.
You're keeping the copy as the state off
the digital crime scene. And in the event it reduces the amount of evidence that may be overridden. Her changed. Our next step is collection. So we've gone to a crime scene. We're gonna preserve our image or state, and this is the state of which we're gonna do it. So let's go ahead and connect will create a disc image. There's both live or dead.
Dead is when the machine is not turned on its national processes. Running on live is one. The machines will do a physical collection of the devices and the devices must be preserved to be considered
liable in the court of law.
So this goes back to the previous step is preserving the state. I would. She retrieved it.
The analysis phase is generally defining the general characteristics of the objects for which were searching and then look for that object in a collection data.
So in the event were reviewing our collection of data. So we've now gone through the image. We've pulled out different evidence, we review it and start using it to support or disprove or hypothesis
and then reporting. Reporting is very important in the investigation process, as you should document all your actions. This includes searches that you have not yet conducted, searches that you have conducted and the results and then a timeline of the analysts efforts. So documenting when an accusation was performed
documenting when the copy of the original accusation was performed.
If there was a hand over to another analyst, the amount of time that an analyst spent on one certain section efforts must be reproducible. So in the event that a report is given to another investigator examiner, they should be able to fall through your reports and reproduce the same evidence and information that you did.
Some general guidelines of forensics now houses,
as previously mentioned, is the preservation. You just want to avoid modifying data that could be evidence
so once again, it could create a copy of the important data, put the original safe place and only work off the copy.
During your analysis, you should be calculating your hash values. Hash rally should be calculated after they imaging before you start your analysis and after the analysis just to confirm the integrity of the data.
In the process of accusation and analysis, you should be using a right blocking device, especially if you're doing in life accusation
and then doing a live accusation or life. And an analysis of the device reduced the minimum number of files that are created, as well as the files that you're opened on a suspect device.
Next up is isolation during a live acquisition and during a live analysis.
It's very difficult to isolate the environment, however, to perform a proper analysis of an image.
It's smart to isolate the environment from both the suspects environment, which would be the device or the machine itself or their home or their WiFi and the outside world. So this could be using a separate workstation in its own network, its own isolated space to perform your analysis. So why would you want to do this?
In the event that the machine has, Let's say, a worm.
If you're executing this and you're running on your own personal working on top in the Corp network, you could potentially risk your machine on your work network to anything that that device me half so isolating it will reduce the risk of one
an external intrusion as well as an internal intruding out.
Next guy line is your correlation. To reduce the risk of forged data, you will collect data with independent sources, and with this you'll be connecting the dots between those independent sources to help support or disproved your hypothesis.
And then, lastly, is logging. Document your efforts, identify your searches performed in churches, not performs. And your overall results.
So, question I get a lot is why do I have the document, my searches that I have not performed in the event of one of handoff or your report being put in the car lot in the event that they wanna discuss your report and start mentioning
you came to this conclusion on this investigation. However, you never did. X y Z.
So if you can document that you it was in your intention to two x y z,
you can go ahead and said I was I wanted to perform the searches. My
conclusion of my investigation is based on
my searches of ABC. However, X y Z was into consideration, but due to time gaps, prioritization or any other reasoning, I could not reach that. It lets them know that it was in your mind to perform no searches, but due to some outside force, you could not continue.
So now the C I A. Security model. There's three the sea sounds for confidentiality, which is the production of the data. This is typically address in security by at least privilege. Some examples could be trade secrets in touch intellectual properties on military strategies.
We have also have integrity for the I in Sierra,
which protects data from unauthorized alternate ization. So this is typically address in security by separation duties.
On a typical security control is encryption or truck sums. The A in CIA is availability. You want your system accessible by authorized personnel's. So one way to address this is to eliminate any single point of failures.
what were the five steps of digital investigation process?
You have your identification, your preservation, your collection, your analysis and your reporting.
So in today's video, we discussed what the did your investigation.
This We went into the process of investigating digital evidence,
talked on some of the general guidelines from performing the investigation steps and briefly talked about the security. See a model.
So I hope you enjoyed today's video and I'll catch the next one
Up Next