00:03
>> Moving on from photography,
00:03
we go to the keys of preservation.
00:03
Preserving evidence should be your primary goal.
00:03
The investigators should not attempt to
00:03
alter the system or alter it as little as
00:03
possible during the course of the investigation by
00:03
following sound incident responder principles.
00:03
Some of the techniques that we're going to show
00:03
you they're going to
00:03
be very minimal storage changing
00:03
>> the state of the system.
00:03
>> However, some of the techniques
00:03
that we're going to show you,
00:03
they're going to change
00:03
the state of the system slightly,
00:03
and that's going to be really the only way that you
00:03
can collect some evidence.
00:03
That being said, you'd have to take
00:03
certain considerations in mind as to why
00:03
you're doing certain procedures and what evidence
00:03
you may or may not be giving
00:03
up if you do these procedures.
00:03
Keep in mind though, as
00:03
you're going about attempting to preserve
00:03
evidence that computers may not
00:03
be your only piece of evidence.
00:03
There could be other witnesses devices such
00:03
as IDSs, routers, firewalls,
00:03
sniffers are other devices along
00:03
that path that could have
00:03
captured traffic during the incident.
00:03
So don't just think of the computer,
00:03
think of the other devices as well.
00:03
Then as we're collecting and preserving evidence,
00:03
we want to collect it and preserve
00:03
it in the order of volatility.
00:03
That essentially it's going to
00:03
prioritize your preservation and
00:03
collection to evidence that
00:03
can change once the power is shut off.
00:03
The goal being to collect the information that has
00:03
the greatest likelihood of being
00:03
changed once power is lost.
00:03
Then the volatile data which we've talked about,
00:03
it's running on the route system.
00:03
The amount of data essentially is going to provide
00:03
insight into the activities that
00:03
>> occurred on that system.
00:03
>> That could be the most important piece
00:03
of information together.
00:03
Again, the caveat that it is
00:03
>> going to be time sensitive.
00:03
>> Depending on how old the case might be
00:03
>> notified of the incident if something that's
00:03
been ongoing or the computers
00:03
>> have been shut on and off,
00:03
>> that may limit the need to collect that volatile data.
00:03
One of the other things that you have to be cognizant
00:03
of when preserving evidence is destructive activity.
00:03
Particular, if a malicious actor
00:03
has had foreknowledge of investigation,
00:03
he or she may attempt to destroy
00:03
that evidence to hide their activities.
00:03
That destruction could come
00:03
anywhere from physical destruction,
00:03
that once you arrive on a scene,
00:03
you've got somebody standing
00:03
>> there with a hammer and he's
00:03
>> dashing in his computer system or hard drive,
00:03
they could be attempting to delete files,
00:03
which is not necessarily the worst thing.
00:03
Hopefully we can recover those.
00:03
He may attempting to format and/or wipe the system
00:03
using CCleaner or some other type
00:03
of program like BleachBit,
00:03
so you want to be paying
00:03
particular attention to
00:03
destructive activity, such as that.
00:03
That activity obviously has observable indicators for
00:03
the investigator if you get there and
00:03
someone's holding a hammer
00:03
and they're dashing on the computer.
00:03
That's a pretty good indicator.
00:03
If you get there and you see
00:03
certain files or programs up on
00:03
the computer system such as CCleaner
00:03
and running and cleaning all of the data on the system.
00:03
That should be an indicator.
00:03
Other indicators are generally more subtle.
00:03
It could be a flashing or
00:03
solid illuminated hard drive
00:03
to eliminate hard drive activity.
00:03
You could have a spinning hard drive
00:03
which resembles rattling or whirring.
00:03
However, don't confuse that cooling fans.
00:03
Then you can also attempt to detect
00:03
that through touch, that slight vibration.
00:03
Other destructive activities, though,
00:03
could be routine such as defragmentation.
00:03
There are certain processes that are set up to run.
00:03
You just happen to get there as
00:03
it's defragmenting the disk.
00:03
Obviously that will change the state of the system,
00:03
so you would want to disable that from occurring.
00:03
Again, we talked about automatic cleaners.
00:03
Every time you log on a system
00:03
may be CCleaner is going to run.
00:03
Or after it gets to a certain point,
00:03
CCleaner is going to run at 12 o'clock every day.
00:03
Those are things to consider.
00:03
Then even something as downloading
00:03
material over the Internet can also
00:03
overwrite any type of data
00:03
that is going to be in that volatile memory.
00:03
The big questions that you have to ask
00:03
yourself is what type of destruction occurring?
00:03
Then will that destruction cause
00:03
harm if it is allowed to continue?
00:03
Is there encrypted data that needs to be captured?
00:03
If you're going to shut off the system and
00:03
there are certain files,
00:03
folders that are unencrypted,
00:03
and by shutting the system off,
00:03
it will re-encrypt that data and you'll lose it.
00:03
Is it important to maybe capture that data first?
00:03
Then is the computer connected to cloud
00:03
storage devices that may be
00:03
pertinent to your investigations?
00:03
Again, disconnecting that computer, turning it off,
00:03
you might lose that connection
00:03
to cloud storage and that could
00:03
be the keys to unlocking your investigation.
00:03
Stopping the destructive activity, how you do it?
00:03
Stop the person from dashing
00:03
in the computer with the hammer.
00:03
Well, I'll leave that up to
00:03
you how you go about doing that,
00:03
but stopping a particular program and
00:03
our application could be
00:03
just as simple as clicking the red X.
00:03
You could also try a graceful shutdown of
00:03
a system or a hard shutdown of the system.
00:03
Lastly, pulling the power cord
00:03
from the back of the system including on your PC,
00:03
pulling the cord is not going to
00:03
>> do a whole lot of good.
00:03
>> However, pulling that power cord,
00:03
there's going to be some caveats to that.
00:03
That's going to be the universal power supply.
00:03
If you have an UPS attached to your system,
00:03
when you pull the power cord,
00:03
nothing's going to happen.
00:03
Your computer system will continue to
00:03
run and it will not know
00:03
that power has been lost because the UPS has been
00:03
kicked on and continues to power the system.
00:03
UPS can either be internal or external to the system.
00:03
An internal UPS can look like a power supply.
00:03
It can look like a control panel
00:03
>> at the front of the box.
00:03
>> PCI card, or externally,
00:03
it can look like a power supply as well.
00:03
The safest option when dealing with some of
00:03
you don't know where they are or what they look like,
00:03
and pulling the power cord
00:03
out of the wall is not working.
00:03
The safest option then is to open the case
00:03
and handle the components while the power is still on,
00:03
the input output cables from the drive.
00:03
I will remind you that it is
00:03
important to use the proper grounding techniques or to
00:03
discharge any static electricity before handling
00:03
these hard drives because you
00:03
could essentially damage them with
00:03
that static electricity and
00:03
any evidence on them would then become useless.
00:03
We hinted out the order of
00:03
volatility a little bit earlier in
00:03
this discussion about capturing
00:03
data that it's going to be lost once power is shut off.
00:03
Here we have the order of volatility.
00:03
we have registers and cache.
00:03
Then we move on to the routing tables, ARP cache,
00:03
kernel statistics, connections, and memory.
00:03
Down from that we have temporary files.
00:03
Then we have hard disk and/or
00:03
other non-volatile storage media.
00:03
Then we have remote logging and monitoring devices.
00:03
Then we have network topology and
00:03
physical configuration and lastly
00:03
>> we have archive media.
00:03
>> Those are in order of how you
00:03
>> would generally want to go
00:03
>> about and collect data
00:03
during your forensic investigation.