Part 6 - Capturing the data: Incident Response and Advanced Forensics Course | Cybrary

Video Activity

Create Free Account

This lesson covers how to capture the data in order to preserve evidence. Investigators need to be able to capture on screen data such as open files, task bar, open windows, system tray as well as gadgets and sidebars, system time and date. Collecting information following an incident needs to be thought of as a triage: know what information is bei...

Sign up with

Or

Already have an account? Sign In »

Time

8 hours 6 minutes

Difficulty

Intermediate

CEU/CPE

4

Create Free Account

This lesson covers how to capture the data in order to preserve evidence. Investigators need to be able to capture on screen data such as open files, task bar, open windows, system tray as well as gadgets and sidebars, system time and date. Collecting information following an incident needs to be thought of as a triage: know what information is being sought, what are the requirements and what will answer them and what techniques are needed to obtain the information? After the triage process, the data is imaged.

00:04

So the next part of preserving evidence is capturing the data that is on the screen

00:10

as you see it when you arrived on scene.

00:14

So one of the first things that you're going to look for are open files,

00:18

and the open files can be saved, using the safe as function to a forensically wiped thumb drive for external storage device. And again we talked about. We will show you in the hands on portion out to forensically wipe a thumb drive and prepare it for your evidence collection.

00:39

That being said, collecting those open files they should be completed after you have collected that volatile data. Just to ensure that you're not changing the state of the system

00:51

on then also keeping month inserting a thumb drive will record information about that device onto your victim machine.

01:03

The next piece of onscreen data that you want to look for is going to be the taskbar,

01:08

and it's going to show most of the programs running on the computer, so that will be down the very right hand bottom corner of the screen.

01:19

The next process, you're going to look for open windows, some programs they can run on the desktop. They're not going to show up in the taskbar. So just like open files, being able to peruse through the window and see what's what is there and what's not there and then taking a photograph of any type

01:38

of open window that you may have,

01:41

particularly they've got into. Some various website may be able to save

01:49

that website to your thumb drive. But also taking a picture of the website will not hurt,

01:56

and then the system trade programs could be hidden in that location. GADGETS Sidebar on your felt relatively recently

02:05

recent Windows Systems You'll see some gadgets, sometimes sidebars on the right hand side, under computer

02:13

and then, lastly, recording the system's dating time, which you'll see down in the taskbar.

02:20

Blow, uh, in the bottom right hand corner of your screen.

02:24

So if you have a system that is power off and you need to obtain the system date time,

02:32

you can go through the bios in order to do that, so essentially would be photographing the interior and exterior that system,

02:40

and then you would power on the system and enter the set up move. And then, if you don't know how to do that, you could follow the on screen instructions that are presented during that menu. Argue can use Google on your forensic machine to try and figure out which key that you're going to press. Could be escaped.

03:00

Key. The F tenor.

03:01

Well, he pretty common keys. In order to help get you into that setup mode from that set up move, you can then find that system date and time information and then power down the system. That being said, if you are not able to stop

03:21

the system before it

03:23

goes past that boot mode, you'll want to immediately power down that system.

03:30

Um,

03:30

by doing a hard power down, you would not want the system to to begin to load the operating system so that it's just a consideration

03:42

and the next you wantto know, take the configuration. Hard drives of that system

03:47

document each setting for the device on attack you find or none,

03:53

and then for used refined setting, you're gonna want record all settings to include cylinders heads, pretty cop in logical block. Addressing

04:00

all of that information should be contained

04:03

within that set up in you

04:05

cell moving on from there we have Thio essentially conduct a triage

04:12

of the data once we become on scene.

04:15

Um,

04:16

that being said, when we get there, we have to know what information that we're looking for.

04:21

So when we're processing information,

04:26

if we have certain types of incidents such as malware, suspicious sports, remote users or suspicious processes

04:33

collecting that bottle town data

04:35

maybe very much importance.

04:40

However, if we have other types of cases where we suspect there may be no forest images, documents, videos

04:47

determining user activity, registry information, Nonviolence, all data, maybe more important

04:55

to collect

04:57

so identifying what requirements you have and what will answer.

05:02

So figuring out what you need to get,

05:05

uh, how get it

05:08

should be important when you're looking at doing that triage. So

05:13

are you looking for running processes listening for its pilotless registry, please Network connections central, essentially identifying a requirement and then going out trying to find the data that's going to answer that requirement

05:27

and then, lastly, after you've kind of identified what you need to get, how are you going to get it? What tools are techniques do you need to use to get the information you need so you can use f k in case volatilities, redline dumping coffee helix

05:44

Matt Marshall Memorize Rapture Cyst Internal sweet access data Tree up There are literally hundreds of tools out there to use to acquire data and to analyze data. So having a broad familiarity

06:00

with a lot of tools and knowing how to use them

06:03

will behoove you in your forensic investing.

06:11

After you have conducted that basic triage of the system and you have collected all of the onscreen data,

06:19

it has been time for the imaging process. So there are different types of images what we're going to use as we want a forensic, and that is going to be a file that includes a bit for bit copy of specified data on the types of

06:38

files that you will see. Our

06:40

E one files E x one files 81 files on the 810.1

06:46

raw

06:48

and then there are different types of images. You will have a physical image, which is a bit for bit copy of a single physical storage device that is more than likely going to be your best evidence.

07:02

However, you also have a logical image that is, one could be a bit for bit copy of one of more partitions.

07:10

Regardless, if the partitions have been formatted with a foul system

07:15

a logical image you're generally going to collect from a system that is powered on.

07:23

And you would collect that if you feel that you cannot get a physical image of the system, are the physical image of system you might get would be useless for, say, if it had some type of encryption on the system and you were not able to obtain wth E unlocked keys

07:43

and the last type of images a targeted image and that is going to be a bit for a copy of a specified target data, usually a file folder,

07:53

and that will also be considered a logical image.

Part 7 - Imaging concepts

Part 8 - Volatile Memory Capture

Part 9 - Forensics in Support of Incident Response

Part 10 - Formatting a disk for Incident Response

Part 11 - Using the FTK Imaging Software

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. Why do I need this certification? As a part of the Incident Response process, ...

VP, Cybersecurity Incident Response Planning at JPMorgan