Time
8 hours 6 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

This lab based lesson continues where the previous lesson left on. Participants receive step by step instructions in how to format a disk which is used in the process of forensics for incident response.

Video Transcription

00:04
So after we finish wiping the device, we're going to have to format it. So the next step of the process is to go
00:11
two
00:13
our file viewer,
00:17
and we're going to find our thumb drive,
00:20
and it's one. Tell us we formatted so we could form at it.
00:25
From here, you will see that it's a 57.8 gigabyte capacity. The file system that's going to give you options between expat and NT F s Leavitt of X factor fat if given the option that way, you can use your device across multiple operating systems and not just limit yourself to one operating system.
00:45
You can leave the allocation unit as the default setting the volume name. If you want to name your device,
00:55
you can name it
00:57
and then lead the quick format. Setting a zit is like start on its one to tell you that you're going to erase all the data on the desk that we've already erased all the data on the desk
01:08
we can hit okay,
01:11
and for Mattis complete clothes.
01:15
And we can see here now that we have a forensic,
01:18
some drive in our drive. Letter E.
01:23
So from here
01:25
If you want to verify exactly what is on your device,
01:29
you can go to the access data F K imager.
01:36
Just click through those props,
01:41
go to file
01:44
and you're going to add in evidence item.
01:47
It's going to be a physical Dr.
01:51
And we're going to swirl to the location of our drive. It's going to be that SanDisk ultra us be 62 gigabytes
01:59
gonna clip, finish,
02:01
and then it's mounted our device.
02:05
So from here,
02:07
you can see that the first part of this is giving you information about the file system on the device.
02:13
And then as we scroll down
02:15
a little bit more,
02:17
you can see that there's actually a little bit of data left on there. If we'd probably let it run
02:23
more, it would have gotten rid of that. But then the rest of the device of actually formatted it before is all zeros,
02:35
so we can see that the device has been
02:38
wipes.
02:43
So from here, the next part of the process is to actually ensure that we have all of the right blocking technology set up and ready to go before we start inserting any of the seized media into our forensic machine and we begin imaging it.
03:00
That way we can ensure that we're not going to write data to the seized media and contaminating taint the evidence that we've ceased, which would essentially render all of it useless. The whole part of forensics and digital forensics is too
03:19
preserved the evidence in its original state.
03:22
That way we can look at an exact copy and duplicate of that evidence.
03:28
So in order to ensure that we're going to preserve that evidence, we have to install some type of right blocking technology on our forensic system. So that could be that hardware right blocker That's in line with that device that you've seized. Or it could be a software right block.
03:47
So as we discussed,
03:50
we're going to use the USB
03:53
right block. So we will click on that,
03:55
And from here, you're going to come to a screen
04:00
that says, uh
04:01
uh, hit one to enable the USB right blocker and hit two to disable the USB right blocker in three to exit.
04:11
We want to enable the right blockers were going to type one
04:15
and then hit into. And then you're gonna get these pop ups if you haven't turned this thing off
04:20
on windows, Just cook. Yes.
04:25
And then it's going to tell you to type any key to continue.
04:30
So now we've continued.
04:32
And as you can see at the top of the status notification, the USB right blocker is on.
04:40
Now. We haven't taken out the drive that we just forensically wife, so you will be able to write to that device. However,
04:49
any other device that you insert into the system, you will not be able to write to that device.
04:59
So just as an example, don't do this in the field.
05:02
But as an example that you can write data to your device. I'm just going to drag the in case imager over here
05:14
and just click yes through that.
05:17
So if you can see, I was able to copy the in case forensic imager to our thumb drive. So it is not right block and able
05:30
so we can get rid of that
05:30
in case program.
05:32
Lead it off.
05:34
Uh, and then once we have the right blocking software turned on, we are ready to insert our seized media. In this case, we're going to be using a seized thumb drive
05:49
However, before we begin
05:53
inserting the media into our forensic machine or
05:59
capturing the data, we want to record any type of specifics specifics about this device. So when you're on the scene of your investigation before you start picking up any media, and before you start doing your actual
06:15
duplication of the media, you're going to want to denote in your notes what type of device that you have. And you're also gonna want to take a picture of where the device was found,
06:28
uh, and also record that in your notes. That way, we're whoever comes behind you, if you have to go to court, can see exactly what it is that you did. So if you found this thumb drive beside a laptop, you would first want to take a picture of where you found it and then record in your notes
06:47
that you
06:48
photographed a thumb drive and the exact location of where that drive was located,
06:55
and then you're gonna wanna record the description of the vice. So in our case, I have a Grey
07:00
Cruiser titanium 2.0 gigabyte thumb drive created by San desk
07:08
And then, of course, on the back, you're going to have a serial number.
07:12
And that's where your magnifying class
07:15
on flashlight would come in handy.
07:17
This device serial number is Bravo Echo 01
07:24
60 A C B B.
07:28
And you would want to put that in your notes that this is the device that you recovered from the scene and the vice that you're imaging.
07:35
After you have all of that recorded in your notes,
07:40
you can then begin the imaging process.
07:46
So from here, we're going to insert the device
07:49
into our forensic machine,
07:55
and we're going to get some pop ups.
07:58
So
08:00
it has popped up
08:01
is Dr Letter G.
08:05
And as we can see, we've got some files on our drive Letter G,
08:11
and they are right Blocking software should be unable. Now, just as a test and demonstration purposes for this video, I'm going to try and write a file to drive letter g. Do not try this in the field again. You want to preserve evidence and not taint or destroyed the evidence
08:30
in any way possible, but to show you that the right blocker is working,
08:33
we're just going to try and move a file our program over to it,
08:39
so just drag something over there,
08:43
and then it's gonna tell you that the desk is right protected.
08:46
Remove the right protection or use another desk so we'll just hit. Cancel. So as you can see, the right protection is on an able. If you have concerns about your software hardware before you actually get out to the scene and start doing your incident response and forensic examination,
09:07
you should test out your software or hardware to ensure that it works. So as you can see from this demonstration, the right blocking software is on, and we cannot alter the data that is on drive letter Jeep.

Up Next

Incident Response & Advanced Forensics

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. Why do I need this certification? As a part of the Incident Response process, ...

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor