Part 3 - The Preservation Phase of Investigation
Video Activity
This lesson covers the preservation phase of investigation. This must take place quickly to make sure evidence of preserved accurately. Investigators must take careful and accurate notes and record information such as times and actions taken and be sure to initial and sign off on everything.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson covers the preservation phase of investigation. This must take place quickly to make sure evidence of preserved accurately. Investigators must take careful and accurate notes and record information such as times and actions taken and be sure to initial and sign off on everything.
Video Transcription
00:03
>> Moving on from the preparation phase,
00:03
we go into the preservation phase.
00:03
The first part of the preservation phase
00:03
is that when encountering system,
00:03
investigators must perform a rapid assessment of
00:03
activity to ensure the preservation of any evidence.
00:03
What that means is being able to
00:03
look at a system and being able to
00:03
determine if something is
00:03
happening on that machine that is essentially
00:03
going to change its state and damage
00:03
any type of evidence that's going to hurt,
00:03
and not just on the system,
00:03
but maybe in the room where you find the system.
00:03
Having that situational awareness
00:03
of not just the machine,
00:03
but your entire surroundings is going to aid
00:03
you and being able to preserve all of that evidence.
00:03
One of the first things that
00:03
the investigator is going to want to do
00:03
>> as part of that preservation process is to take notes.
00:03
>> The note-taking essentially relates to
00:03
what happened during the investigation.
00:03
Notes are going to be very important,
00:03
especially if you have to be in court.
00:03
Oftentimes, a defense attorney
00:03
will not necessarily attack the evidence per say,
00:03
and they're going to attack the investigator,
00:03
which would be you.
00:03
Any little thing that they can find that you did
00:03
wrong during your investigation,
00:03
they're going to try and pick that
00:03
apart and destroy your case.
00:03
That's why it is of great importance that
00:03
you record in detail every action that
00:03
you take from the time that you
00:03
become aware of the incident to the time you
00:03
complete your central investigation on your notes.
00:03
Here are some key note-taking points.
00:03
The first thing that you're going to
00:03
want to do is write in ink.
00:03
Obviously, writing in pencil
00:03
would subject your notes to change,
00:03
writing in ink essentially makes them permanent.
00:03
Then you would want to put your name and
00:03
organization on the first line on the top of the page.
00:03
The location of where the incident
00:03
occurred to the smallest details.
00:03
Not just the address of 123 main street,
00:03
but if you have a suite number and office number,
00:03
a desk number, down to that very small granular detail.
00:03
You'll want to list any individuals
00:03
who were present at the time of you
00:03
acquiring that data or responding to the incident.
00:03
Law enforcement investigations,
00:03
they generally have a crime scene tape up,
00:03
and anyone who comes in and out of the crime scene,
00:03
their name must be written down on that log.
00:03
On from that, we have the initialing
00:03
each page and putting a number on each page.
00:03
Then we want to cross out any mistakes that
00:03
we make on our notes and all initial above them.
00:03
We must include any diagrams and photographs that we
00:03
make in our notes or reference
00:03
them and make them available.
00:03
At the end of the notes,
00:03
we would include the statement,
00:03
"nothing follows," and then we
00:03
detail any and all actions that we take.
00:03
Something as simple as arriving on
00:03
the scene and securing the scene,
00:03
that should appear in your notes.
00:03
Then, very granular details about
00:03
the operating system to include
00:03
any information that we return from the OS,
00:03
from any commands that we enter.
00:03
If we find any media laying around per say,
00:03
we find a thumb drive which we are going to get
00:03
into later in the hands-on portion,
00:03
we have to write the granular detail.
00:03
If I found a gray SanDisk cruzer or 2.0
00:03
gigabyte thumb drive
00:03
>> with serial number 1234 on the back.
00:03
>> Lastly, we're going to want to include
00:03
a known good local time
00:03
and annotate the source of where we obtained that.
00:03
That known good local time will help us to normalize
00:03
all the times that we find
00:03
throughout our investigation to that one time.
00:03
Often, systems may not be set to the appropriate time.
00:03
If you have a suspect who was particularly savvy,
00:03
they may cry and finagle the settings of
00:03
the clock in order to help
00:03
obfuscate some of their activities.
00:03
So including a known good local time and
00:03
annotating that on your notes is of key importance.
00:03
Here's an example of the notes.
00:03
As you can see,
00:03
at the top of the page,
00:03
I have the title of investigator notes.
00:03
We have our Case 1234.
00:03
If you are working,
00:03
particularly in an incident response office,
00:03
you may have an incident response number so that
00:03
the case number may replace
00:03
that incident response number.
00:03
The investigator's names,
00:03
I put my name there.
00:03
Your organization that you're
00:03
doing this forensic investigation for,
00:03
and then the section headings,
00:03
date and time, the
00:03
actions that were taken, and the results.
00:03
Essentially, if we respond
00:03
to the incident on 1st of August 2016,
00:03
we arrived at the scene of 123 main street,
00:03
Anytown, Maryland 12345 zip code.
00:03
Then from there, we obtain a known good local time.
00:03
You can use an Internet
00:03
restore such as time and date.com.
00:03
You can also use your cell phone,
00:03
just as long as you annotate where that time came from.
00:03
Then the next thing that we see in our notes is that we
00:03
secured the same and then
00:03
any individuals that were present,
00:03
we can attach a roster of who was there.
00:03
Hopefully, the third step,
00:03
you've already completed before you
00:03
got to the incident scene.
00:03
But in case you did not,
00:03
you can wipe the media and then
00:03
annotate that in your notes,
00:03
and we'll show you how to wipe media using the in case,
00:03
forensic imager and the hands-on section.
00:03
Then down at the bottom,
00:03
you can see the title of nothing follows,
00:03
followed by an investigator signature,
00:03
and page 1 of 1.
00:03
In conjunction with the notes,
00:03
photography will help build
00:03
credence to your investigation and
00:03
help keep track of what was
00:03
done during your investigation.
00:03
It is often the best way to
00:03
record information of the scene.
00:03
You can sit and write
00:03
a lot and essentially write the novel War and Peace,
00:03
or I can take a photograph of
00:03
it and write some cursory notes of what happened.
00:03
I'm not in favor of writing War and Peace,
00:03
I would just rather take a photograph of
00:03
the scene and record that in my notes section.
00:03
Considerations though when using photography is
00:03
that a flash can cause reflection onto the screen,
00:03
which can distort your image and make it not usable.
00:03
Also, screen refresh rates
00:03
>> can obscure your photography.
00:03
>> So you're going to want to use a slow shutter speed,
00:03
usually about 1/60 of a second,
00:03
and that's about the refresh rate of
00:03
most screens in the United States.
00:03
I think overseas they use a
00:03
1/50 of a second refresh rate.
00:03
However, the slower the shutter speed you can use,
00:03
the better it's going to be.
00:03
However, if you get a lot slower than 1/60
00:03
because the shutter speed is so slow,
00:03
it's going to require a lot of balance and steadiness
00:03
>> in your hands and you're probably not going to be
00:03
>> able to do that without the use of a tripod.
00:03
So 1/60 of a second is generally the recommended speed,
00:03
especially for hand photography.
00:03
That being said, it's very
00:03
important to know your equipment.
00:03
The time to figure out how your camera works
00:03
is before you respond to the incident, not during.
00:03
If you get one of these very expensive DSLR cameras,
00:03
figure out how it works before you get there.
00:03
Then, the old mantra of two is one and one is none.
00:03
Even if you have this very nice expensive DSLR camera,
00:03
if it's the only one you have,
00:03
it's going to break when you need it the most.
00:03
So having something as a backup,
00:03
even an iPhone is better than nothing.
00:03
Never alter the photographs
00:03
because any evidence that you take,
00:03
especially if you're going to go to court,
00:03
it needs to be miscible
00:03
and you have to qualify that evidence.
00:03
Altering the evidence after you take a picture
00:03
essentially makes those photographs
00:03
unusable in a court process.
00:03
Then after you take the photographs,
00:03
you're going to want to hash those photographs.
00:03
Then we go into some detail on
00:03
the hands-on portion of how to use MD5 hash.
00:03
We're going to hash a memory file that we
00:03
>> are going to create from vault memory from the system.
00:03
>> The same process of running MD5 hash on
00:03
a vault memory file is applicable to any type of file.
00:03
So you can hash one file,
00:03
you can hash in five.
00:03
But we'll show you how to do the MD5 hashes.
Up Next
Similar Content
