Part 2 - The Phases of Investigation

Video Activity

This lesson covers the phases of investigation which consists of: · Preparation · Preservation · Duplication · Analysis · Reporting

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers the phases of investigation which consists of: · Preparation · Preservation · Duplication · Analysis · Reporting

Video Transcription
00:03
>> Moving on from there,
00:03
we can now talk about the phases of the investigation.
00:03
We essentially have five phases
00:03
of forensic investigation,
00:03
and we have a follow-on,
00:03
hands-on video after this that will take us
00:03
through the phases of the investigation.
00:03
But the first phase,
00:03
it's preparation, getting ready
00:03
to do the incident response.
00:03
The next phase is the preservation of evidence.
00:03
The third phase is
00:03
the duplication of any evidence we find,
00:03
and then the analysis,
00:03
and then the reporting phase of the investigation.
00:03
Beginning with the preparation phase,
00:03
one of the first questions you have to ask is,
00:03
what authority do you have when getting
00:03
ready to do your forensic response?
00:03
Normally, if you work for a corporation
00:03
>> and you're going out
00:03
>> and you're responding to some type of incident
00:03
>> and they need additional forensic information,
00:03
>> that is generally all the authority you need.
00:03
If you're working in law enforcement or government,
00:03
do you have the appropriate search authority?
00:03
Do you have consent?
00:03
Do you have a search warrant?
00:03
All of those caveats need to be understood
00:03
>> before you go out and do your search.
00:03
>> The next question you want to identify is,
00:03
>> what type of operating system
00:03
>> are you going to be encountering?
00:03
>> If you work, again, in a corporate environment
00:03
>> or even in the government,
00:03
>> generally, you have an idea of what type of
00:03
operating system that you're going to come across.
00:03
More than likely, it's probably going to be
00:03
a Windows system.
00:03
>> That is predominantly what's used throughout the world.
00:03
>> However, some organizations do use a lot of Macs,
00:03
and then some organization use lot of
00:03
Linux machines or Unix machines.
00:03
Identifying what type of operating system is out there
00:03
>> will help you identify some of the
00:03
>> materials and software that you're going to need
00:03
>> in that preparation phase.
00:03
>> Another question you want to ask yourself is,
00:03
>> how old is the hardware that you're going
00:03
>> to be essentially interfacing?
00:03
A lot of times, especially within government sector,
00:03
you have some of these servers that have
00:03
been around and are as old as Methuselah,
00:03
and there is essentially no one left
00:03
that knows how these things work,
00:03
who established them,
00:03
what type of code is written on these,
00:03
and people just leave them alone and let them sit.
00:03
When it comes time to investigate these,
00:03
you would essentially find that they use
00:03
cables or processes that you've never heard of.
00:03
Identifying the hardware and
00:03
the information systems that
00:03
are going to be within your network that you
00:03
might one day have to investigate is a good step
00:03
>> in having the right equipment when necessary.
00:03
>> Another consideration to think of is
00:03
asking the question of who uses the computer?
00:03
Are there multiple suspects?
00:03
Does someone login and logout?
00:03
Does another person login after them?
00:03
That helps you narrow the focus of
00:03
your investigation and also helps you identify
00:03
what information might be useful
00:03
>> and what information may not be useful.
00:03
>> For instance, if someone were to
00:03
log in after a particular suspect,
00:03
the collection of volatile data may not be as
00:03
beneficial since they may have logged out and
00:03
cleared that cache from that previous user,
00:03
so that is something to consider.
00:03
After asking those basic questions,
00:03
you can then start preparing
00:03
that basic forensic toolkit
00:03
that you're going to use in your investigation.
00:03
One of the first things
00:03
that you're going to want is decrease
00:03
sterilized pre-wiped media which would include
00:03
your USB media and your external hard drives.
00:03
As you're going to see in the follow-on hands-on video,
00:03
wiping one of these devices,
00:03
although it's a fairly easy process,
00:03
is very time consuming.
00:03
We're going to wipe a 64 gigabyte thumb drive,
00:03
and you'll see that it can take
00:03
roughly two hours to wipe that device.
00:03
Having all of these devices
00:03
>> pre-wired and pre-staged is going to help you
00:03
>> out immensely when it comes time to
00:03
begin your forensic investigation.
00:03
After that, we have the use of surgical gloves.
00:03
>> That just helps keep everything sanitary,
00:03
>> helps keeping the equipment
00:03
inside the computer system
00:03
from being damaged by the grease and
00:03
dirt and oil on your hands.
00:03
The next thing that you're going to want to have is
00:03
your computer toolkit which includes
00:03
>> screwdrivers, Torx bits, and pliers,
00:03
>> and that's going to be to help you
00:03
remove hard drives from systems
00:03
or get into systems to
00:03
do your forensic investigation.
00:03
You're also going to want to have evidence tags,
00:03
>> markers, sticky notes, tape pens,
00:03
>> and so on and so forth.
00:03
>> This will make your investigation a lot easier if you
00:03
have multiple cables or multiple devices,
00:03
multiple thumb drives,
00:03
>> being able to tag and mark those
00:03
>> and identify them easily with these
00:03
>> sticky notes and tape is very beneficial.
00:03
>> If you have a lot of connections
00:03
in the back of your computer,
00:03
being able to label those
00:03
>> and take a picture of them will also help.
00:03
>> Speaking of taking pictures,
00:03
having the camera is very important.
00:03
Not just having one camera but sometimes having two
00:03
because when you need it the most,
00:03
you probably will find out that it's going to fail.
00:03
Then also having anti-static bags
00:03
and wrapping materials.
00:03
>> That way, when you do collect a lot of hard drives,
00:03
>> for instance, if you go to someone who is
00:03
>> pretty computer savvy
00:03
>> or they have a lot of illicit material on
00:03
>> these hard drives that they have it at their home,
00:03
you may end up coming across a stack of hard drives,
00:03
>> and you're going to want to package those in
00:03
>> these anti-static bags to keep them from being damaged.
00:03
Also along with the anti-static bags, Faraday bags,
00:03
>> they're particularly useful for cellular devices.
00:03
>> If you're going to image those,
00:03
the Faraday bag will essentially keep
00:03
electrical signals from getting into the bag
00:03
>> and changing the state of the device.
00:03
>> Magnifying glass to see small fine print
00:03
>> and serial numbers on certain devices.
00:03
>> Cable ties just to help keep things nice and easy.
00:03
Then we have additional suggested tools.
00:03
Again, we've talked about data cables,
00:03
8-bits, 16-bits SCSI,
00:03
IDE, SATA, USB,
00:03
CAT5, crossover, FireWire.
00:03
All these types of cables
00:03
>> you're going to want to include in your kit bag
00:03
>> just because you don't know necessarily what
00:03
>> type of devices you're going to come across.
00:03
>> Grounding straps just in case
00:03
>> you're taking a system apart,
00:03
>> and you want to prevent electrostatic shock from
00:03
damaging the hard drive in the system.
00:03
A grounding strap would be very useful.
00:03
Write Blockers for various media.
00:03
Those can be either software or hardware
00:03
>> which we'll talk about a little bit later.
00:03
>> Computer screws and jumpers.
00:03
Occasionally, you're just going to need those
00:03
>> because they get lost.
00:03
>> Software library boot medias,
00:03
assorted drivers, blank CD,
00:03
DVDs, and forensic software
00:03
we'll get into that pretty extensively.
00:03
You can create essentially
00:03
a Kali Linux boot disk
00:03
or whatever flavor of Linux you like,
00:03
boot disk in order to help do
00:03
your imaging of a computer system,
00:03
and then you can create
00:03
your forensic software that you're
00:03
going to use to put into
00:03
your victim machine to help
00:03
you get the data off of that machine that's necessary.
00:03
You may also want a network interface card
00:03
for crossover imaging,
00:03
disk drive, and duplicator.
00:03
Then lastly, write protected USB
00:03
>> or external storage drives
00:03
>> that just helps to ensure that
00:03
>> after you acquire the data,
00:03
>> that it is essentially not changed.
Up Next