Part 3 - Forensic Investigation Process

Video Activity

In this video we examine the seven steps of evidence collection: Identification - identify something a evidence from what's left behind such as fingerprints and DNA as well as what was taken. Preservation - the chain of custody must be documented and provide a history of how the evidence was handled since digital evidence can be easily manipulated....

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

5 hours 31 minutes
Video Description

In this video we examine the seven steps of evidence collection:

  • Identification - identify something a evidence from what's left behind such as fingerprints and DNA as well as what was taken.
  • Preservation - the chain of custody must be documented and provide a history of how the evidence was handled since digital evidence can be easily manipulated. Hashing is used to verify that data remains unchanged.
  • Collection - it's important to limit evidence handling. Document using photos and taking an image of the system. We must always work fast since some data is volatile. It's also important to do things legally and respect the Fourth Amendment.
  • Examination - just the facts!
  • Analysis - look for meaning in the data in order to find the "what" of the investigation.
  • Decision - the final verdict from trial.
Video Transcription
All right, let's talk about the forensics investigation process. So again, we keep in mind that our goal is to present evidence in court. So these air the Seven Steps Identification Preservation Collection, examination, analysis, presentation in court
and then, ideally, a decision be made.
So we start out with identification, and what we're looking to is identify something as evidence and see what information is left behind what evidence is left behind. There's a principle called low cards principle of exchange. And what that says is that for
someone would take a criminal would take an income. There's a crime and there's a theft they leave behind. Something might be a fingerprint. Might be D N a. Or it could simply be the knowledge that what they took tells you something about them. So, for instance, if I take,
um, top secret information that might tell you that perhaps so involved with espionage so low Gorge Principal essentially says they're gonna leave something behind. You've gotta look for it
all right Now, the very first step of a first responder after they've identified that something is evidence
preservation. And that's so very essential because, as you remember, when we talked about the steps of forensics and the requirements. We know that we can't modify evidence. So preserving evidence, we're gonna make sure that everything is documented.
Who has the evidence? What did they do with it?
When did they have it? You know, pretty much the who. What? Where, When? Why, How and we're gonna refer to this is the chain of custody and chain of custody is so very important. It's gonna track the history all the way up to the point where the evidence is actually presented in court.
We need to make sure that were also able to guarantee the integrity of the evidence. And you'll notice down at the bottom hashing algorithm. Zehr used to show that a hard drive, for instance, has not been modified. And we'll talk about that a little bit more later, but preserved the integrity of the evidence.
The next step is collection.
So going back, the things like minimizing limit the handling of evidence. Absolutely as much as possible. Document, document, document.
Uh, I'm not gonna read every single one of the's, but where it says capture an accurate image of the system. You know, the idea is we would never want to work on an original. We wanna work in a copy. We can't risk damaging or modifying the original.
So when we talk about working with systems, we need a system. Imagine we'll talk about that a little bit more.
Work fast. Always worked for most volatile toe least volatile and volatile means likely to change usually what that has to do with this power. You know, when you lose power to assist from the contents of ran, we're going. So we want to be very cognizant about that.
We also want to make sure that if you're not well trained, if you're not on the incident response team, you want to limit very much what you do. Because most of the time people can vary inadvertently and innocently or race evidence. So we want to make sure that
you're not going in and opening up Files and folders are rebooting the system or powering it off
because in all likelihood, you're destroying evidence.
A few other things with collection. When we collect, as I mentioned, we're gonna work for most volatile toe least volatile, and we're gonna make sure that we document every step along the way. So coming in, we're gonna photograph the area, make sure that we have what's in memory
power down the system on Lee. After we've gone through a series of processes as documented in our incident response strategy, Um, photograph the inside of the system. That's fine. Label the evidence and document document document you may need to get,
um, your internal departments legal and H are involved in the process.
All right, now, one other thing or another couple of things with forensics making sure that the evidence is acquired in a legal manner. So the Fourth Amendment protects the provides protection against illegal search and seizure from law enforcement.
It does not apply to private citizens.
So, for instance, if as a manager I find some indication of a crime on your desktop, I can seize that information and turn it over. The law enforcement's a law enforcement doesn't guarantee it's gonna be admissible, but I can do that without violating your Fourth Amendment rights.
Now, uh, evidence can be seized without violating Fourth Amendment rights in several situations. Anything that's been subpoenaed were discovered as a result of a search warrant.
Anything turned over voluntarily of course. And then the last exigent circumstances and exigent circumstances made that. The evidence is in, um,
in danger of being destroyed but immediate danger of being destroyed. So in those elements we can bypass, law enforcement can bypass the Fourth Amendment.
Now, from collection, we move from examination to analysis. Now, examination is just the facts were just documenting information. What we're really doing is collecting data
with analysis. We're looking for meaning to that data, and we want to take data and turn it into information. So analysis goes a little bit farther, goes a little bit deeper, and you'll notice the very first bullet point under analysis. Primary image versus working copy.
The working copy should be a bit level copy
off the system. We don't want to work in the hard drive. And as a matter of fact,
ones were ready to pull the original hard drive out of the system. We put that in a right protected machine.
All right. And then we hash it.
Then we make a bit level copy
and we hash the copy.
The two hashish should be the same.
Then we analyze the copy and hash it again. And all three hashes should be the same. So it's very important that we follow those processes.
We present the information in court and any other supporting evidence and then, ideally, the result of the evidence of the investigation comes to a close.
So those were the processes off forensic investigation.
So if we go back identification, preservation, collection, examination, analysis,
presentation and decision.
Up Next
ISC2 Certified Cloud Security Professional (CCSP)

This online course will guide you through the contents of the CCSP certification exam. Obtaining your CCSP certification shows that you are a competent, knowledgeable, cloud security specialist who has hands-on experience in the field.

Instructed By