Time
8 hours 6 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers how to capture the data in order to preserve evidence. Investigators need to be able to capture on screen data such as open files, task bar, open windows, system tray as well as gadgets and sidebars, system time and date. Collecting information following an incident needs to be thought of as a triage: know what information is being sought, what are the requirements and what will answer them and what techniques are needed to obtain the information? After the triage process, the data is imaged.

Video Transcription

00:04
So the next part of preserving evidence is capturing the data that is on the screen
00:10
as you see it when you arrived on scene.
00:14
So one of the first things that you're going to look for are open files,
00:18
and the open files can be saved, using the safe as function to a forensically wiped thumb drive for external storage device. And again we talked about. We will show you in the hands on portion out to forensically wipe a thumb drive and prepare it for your evidence collection.
00:39
That being said, collecting those open files they should be completed after you have collected that volatile data. Just to ensure that you're not changing the state of the system
00:51
on then also keeping month inserting a thumb drive will record information about that device onto your victim machine.
01:03
The next piece of onscreen data that you want to look for is going to be the taskbar,
01:08
and it's going to show most of the programs running on the computer, so that will be down the very right hand bottom corner of the screen.
01:19
The next process, you're going to look for open windows, some programs they can run on the desktop. They're not going to show up in the taskbar. So just like open files, being able to peruse through the window and see what's what is there and what's not there and then taking a photograph of any type
01:38
of open window that you may have,
01:41
particularly they've got into. Some various website may be able to save
01:49
that website to your thumb drive. But also taking a picture of the website will not hurt,
01:56
and then the system trade programs could be hidden in that location. GADGETS Sidebar on your felt relatively recently
02:05
recent Windows Systems You'll see some gadgets, sometimes sidebars on the right hand side, under computer
02:13
and then, lastly, recording the system's dating time, which you'll see down in the taskbar.
02:20
Blow, uh, in the bottom right hand corner of your screen.
02:24
So if you have a system that is power off and you need to obtain the system date time,
02:32
you can go through the bios in order to do that, so essentially would be photographing the interior and exterior that system,
02:40
and then you would power on the system and enter the set up move. And then, if you don't know how to do that, you could follow the on screen instructions that are presented during that menu. Argue can use Google on your forensic machine to try and figure out which key that you're going to press. Could be escaped.
03:00
Key. The F tenor.
03:01
Well, he pretty common keys. In order to help get you into that setup mode from that set up move, you can then find that system date and time information and then power down the system. That being said, if you are not able to stop
03:21
the system before it
03:23
goes past that boot mode, you'll want to immediately power down that system.
03:30
Um,
03:30
by doing a hard power down, you would not want the system to to begin to load the operating system so that it's just a consideration
03:42
and the next you wantto know, take the configuration. Hard drives of that system
03:47
document each setting for the device on attack you find or none,
03:53
and then for used refined setting, you're gonna want record all settings to include cylinders heads, pretty cop in logical block. Addressing
04:00
all of that information should be contained
04:03
within that set up in you
04:05
cell moving on from there we have Thio essentially conduct a triage
04:12
of the data once we become on scene.
04:15
Um,
04:16
that being said, when we get there, we have to know what information that we're looking for.
04:21
So when we're processing information,
04:26
if we have certain types of incidents such as malware, suspicious sports, remote users or suspicious processes
04:33
collecting that bottle town data
04:35
maybe very much importance.
04:40
However, if we have other types of cases where we suspect there may be no forest images, documents, videos
04:47
determining user activity, registry information, Nonviolence, all data, maybe more important
04:55
to collect
04:57
so identifying what requirements you have and what will answer.
05:02
So figuring out what you need to get,
05:05
uh, how get it
05:08
should be important when you're looking at doing that triage. So
05:13
are you looking for running processes listening for its pilotless registry, please Network connections central, essentially identifying a requirement and then going out trying to find the data that's going to answer that requirement
05:27
and then, lastly, after you've kind of identified what you need to get, how are you going to get it? What tools are techniques do you need to use to get the information you need so you can use f k in case volatilities, redline dumping coffee helix
05:44
Matt Marshall Memorize Rapture Cyst Internal sweet access data Tree up There are literally hundreds of tools out there to use to acquire data and to analyze data. So having a broad familiarity
06:00
with a lot of tools and knowing how to use them
06:03
will behoove you in your forensic investing.
06:11
After you have conducted that basic triage of the system and you have collected all of the onscreen data,
06:19
it has been time for the imaging process. So there are different types of images what we're going to use as we want a forensic, and that is going to be a file that includes a bit for bit copy of specified data on the types of
06:38
files that you will see. Our
06:40
E one files E x one files 81 files on the 810.1
06:46
raw
06:48
and then there are different types of images. You will have a physical image, which is a bit for bit copy of a single physical storage device that is more than likely going to be your best evidence.
07:02
However, you also have a logical image that is, one could be a bit for bit copy of one of more partitions.
07:10
Regardless, if the partitions have been formatted with a foul system
07:15
a logical image you're generally going to collect from a system that is powered on.
07:23
And you would collect that if you feel that you cannot get a physical image of the system, are the physical image of system you might get would be useless for, say, if it had some type of encryption on the system and you were not able to obtain wth E unlocked keys
07:43
and the last type of images a targeted image and that is going to be a bit for a copy of a specified target data, usually a file folder,
07:53
and that will also be considered a logical image.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor