Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers the phases of investigation which consists of: · Preparation · Preservation · Duplication · Analysis · Reporting

Video Transcription

00:03
moving on from there. We can now talk about the phases of the investigation. So we essentially have five phases of forensic investigation and we have a follow on hands on video after this, that would kind of take us through the phases of the investigation.
00:22
But the first phase is preparation,
00:25
getting ready to do the incident response. The next phase is the preservation of evidence. The third phase is the duplication of any evidence we find in the analysis and then the reporting phase of the investigation.
00:41
So
00:42
beginning with the preparation phase, one of the first questions you have to ask is, what authority do you have when getting ready to do your forensic response?
00:52
Um,
00:54
normally, if you work for a corporation and you're going out, you're responding to some type of incident and they need additional forensic information that is generally all the authority you need.
01:04
If you're working in law enforcement or government,
01:07
do you have the appropriate search authority? Do you have consent? Do you have a search warrant?
01:14
All of those caveats need to be understood before you go out and do your search.
01:21
The next question you want to identify what type
01:25
operating system are you going to be encountering if you work
01:30
again in a corporate environment or even in the government? General, you have an idea what type of operating systems that you're gonna come across. More than likely, it's probably going to be a Windows system that is predominantly what's used throughout the world. However, some
01:46
organizations do use a lot of max, and then some organizations use a lot of Lennox machines or UNIX machines. So identifying what type of operating system is out there will help you identify some of the materials and software that you're going to need in that preparation
02:06
phase.
02:07
Another question. You want to ask yourself, How old is the hardware that you're going to be essentially interfacing a lot of times, especially within government sector? You have some of these servers that have been around. Andare is old as Methuselah,
02:23
and there is essentially no one left that knows how these things work.
02:28
Who established them? What type of code is written on these and people just leave them alone and let him sit,
02:34
And when it comes time to investigate these, you would essentially find that they use cables are processes that you've never heard of. Eso kind of identifying the hardware in the information systems that are going to be within your network, that you might
02:53
one day have to investigate
02:54
eyes a good step and having the right equipment when necessary.
03:00
Another consideration toe to think of is asking the question of who uses the computer.
03:07
Are there multiple suspects? Does someone log in and log out? There's another person, Morgan after them. It helps narrow the focus of your investigation and also help you identify what information might be useful and what information may not be useful. For instance, if someone were to
03:27
log and after a
03:29
particular suspect, the collection of volatile data may not be as beneficial, since they may have logged out and cleared that cash from the previous users so that it's something to consider.
03:43
After asking those basic questions, you can kind of start preparing that basic forensic tool kit that you're going to use in your investigation.
03:52
So one of the first things that you're gonna want US decrease sterilized pre wiped media, which would include your U. S. E media and your external hard drives. And as you're going to see in the follow on hands on video.
04:10
Wiping one of these devices, although it's a fairly easy process, is very time consuming.
04:15
We're going to wipe a 64 gigabyte thumb drive and you'll see that it can take roughly two hours to wipe that device. So having all of these devices, pre wife prestaged is going to help you out immensely when it comes time to begin work.
04:34
Forensic investigation.
04:38
After that, we have the use of surgical gloves that just helps keep everything sanitary. Helps keep uh, keeping the equipment inside the computer system from being damaged by the grease and dirt oil in your hands.
04:55
The next thing that you're gonna wanna have is your computer tool kit, which includes screwdrivers, talk, spits and pliers. That's gonna be to help you remove
05:02
hard drives from systems are get into systems to do your forensic investigation.
05:11
We're also gonna wanna have evidence tags, marker, sticky notes, tape pens on so on, so forth. This will make your investigation lot easier if you have
05:21
multiple cables or multiple devices, multiple thumb drives being able to tag and mark those and identify them easily with the sticky notes and tape is very beneficial to you. Have a lot of connections in the back of your computer. Being able to label those and take a picture of them will also help.
05:41
Speaking of taking pictures, having the camera is very important and not just having one camera, but sometimes having to, because when you need it the most, you probably will find out that it's going to fail,
05:53
then also having anti static bags and wrapping materials that way, when you do collect a lot of hard drives. For instance, if you go to someone who is pretty computer savvy or are they have a lot of illicit material on these on these hard drives, they have a home.
06:12
You may end up coming across,
06:15
Ah, a stack of hard drives and you're gonna want package of those in these anti static bags to keep them from being damaged. Also, along the anti static vax Faraday bags, their particular useful for cellular devices. You're going thio image. Those
06:32
the Faraday bag will essentially keep
06:34
electrical signals from getting into the bag
06:39
and changing the state of the device
06:43
magnifying glass to see small fine print on serial numbers on certain devices
06:49
cable ties just to help keep things nice and easy
06:54
and only have additional suggested tools. Again, we talked about data cables that 16 bit scuzzy. I d say that. USB cat five crossover fireworks, all these types of cables you're going to want to include in your kitbag just because you don't know necessarily what type
07:13
devices you're going to come across
07:15
grounding straps just in case you're taking a system apart on you. Want to prevent electrostatic shock from damaging?
07:25
Uh, the hard drive in the system of grounding strap would be very useful. Right blockers for various media. Those could be either software. Our hardware, which we'll talk about a little bit later.
07:35
Computer screws and jumpers. Occasionally, you're just going to need those because they get lost
07:41
software, library, boot, media's
07:44
story, drivers, blank CD DVDs and forensic software.
07:48
We'll get that pretty extensively.
07:51
Um,
07:51
you can create essentially Callie Lennox boot desk or whatever flavor blending to lighten boot disc in order to help
08:00
do your
08:03
imaging of a computer system. And then you can create your forensic software that you're going to use to put into your victim machine to help you get the data off that machine that's necessary.
08:18
You may also want a network interface card, a crossover imaging disk drive and duplicate ER and then, lastly, right protected USB, our external storage drives. That just helps to ensure the acting required the data that essentially not changed.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor