Part 6 - Capturing the data

Video Activity

This lesson covers how to capture the data in order to preserve evidence. Investigators need to be able to capture on screen data such as open files, task bar, open windows, system tray as well as gadgets and sidebars, system time and date. Collecting information following an incident needs to be thought of as a triage: know what information is bei...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers how to capture the data in order to preserve evidence. Investigators need to be able to capture on screen data such as open files, task bar, open windows, system tray as well as gadgets and sidebars, system time and date. Collecting information following an incident needs to be thought of as a triage: know what information is being sought, what are the requirements and what will answer them and what techniques are needed to obtain the information? After the triage process, the data is imaged.

Video Transcription
00:03
>> The next part of preserving evidence is
00:03
capturing the data that is on
00:03
the screen as you see it when you arrive on the scene.
00:03
One of the first things that you're going to
00:03
look for are open files.
00:03
The open files can be saved using the Save As function,
00:03
to a forensically wiped thumb drive
00:03
or external storage device.
00:03
Again, we've talked about we will
00:03
show you in the hands-on portion how to
00:03
forensically wipe a thumb drive and
00:03
prepare it for your evidence collection.
00:03
That being said, collecting those open files,
00:03
they should be completed after you'd have
00:03
collected that volatile data,
00:03
just to ensure that you're not
00:03
changing the state of the system.
00:03
Then also keep in mind,
00:03
that inserting a thumb drive will record information
00:03
about that device onto your victim machine.
00:03
The next piece of on-screen data that you
00:03
want to look for is wanted to be the taskbar.
00:03
It's going to show most of
00:03
the programs running on the computer.
00:03
That will be down the very
00:03
right-hand bottom corner of your screen.
00:03
The next process you're going to look for open windows.
00:03
Some programs they can run on the desktop,
00:03
they're not going to show up in the taskbar.
00:03
Just like open files,
00:03
being able to peruse through the window and
00:03
see what is there and what's not there,
00:03
and then taking a photograph of
00:03
any type of open window that you may have.
00:03
Particularly if they've go onto some various websites,
00:03
you may be able to save that
00:03
>> website to your thumb drive,
00:03
>> and also taking a picture of the website will not hurt.
00:03
Then the system tray programs can be
00:03
hidden in that location,
00:03
gadgets and sidebar on your fill-up
00:03
relatively recently, recent Windows systems,
00:03
you'll see some gadgets,
00:03
sometimes in sidebars on
00:03
the right-hand side of the computer.
00:03
Then lastly, recording the systems date and time,
00:03
which you'll see down in
00:03
the taskbar
00:03
below the bottom right-hand corner of your screen.
00:03
If you have a system that is
00:03
>> powered off and you need to
00:03
>> obtain the system date and time,
00:03
you can go through the BIOS in order to do that.
00:03
Essentially you would be photographing
00:03
the interior and exterior of that system,
00:03
and then you would power on
00:03
the system and enter the setup mode.
00:03
Then if you don't know how to do that,
00:03
you can follow the on-screen instructions that are
00:03
presented during that menu or you
00:03
can use Google on your forensic machine to
00:03
try and figure out which
00:03
>> key that you're going to press.
00:03
>> It could be the Escape key,
00:03
the F10 or F12,
00:03
the pretty common keys,
00:03
in order to help get you into that setup mode.
00:03
From that setup mode,
00:03
you can then find that system date and
00:03
time information and then power down the system.
00:03
That being said, if you're not able to stop
00:03
the system before it goes past that boot mode,
00:03
you'll want to immediately power down
00:03
that system by doing a hard power down,
00:03
you would not want the system to begin to
00:03
load the operating system so
00:03
that it's just a consideration.
00:03
The next you'll want to notate
00:03
the configuration of hard drives of the system,
00:03
document each setting for
00:03
the device out of tech use refined or non.
00:03
Then for use refined setting,
00:03
you're going to want to record
00:03
all settings to include cylinders heads,
00:03
pre-comp and logical block addressing.
00:03
All of that information should be
00:03
contained within that setup menu.
00:03
Moving on from there,
00:03
we have to essentially conduct a triage of the data,
00:03
once we become on seeing.
00:03
That being said, when we get there,
00:03
we have to know what
00:03
>> information that we're looking for.
00:03
>> When we're processing information,
00:03
if we have certain types of
00:03
incidents such as malware, suspicious ports,
00:03
remote users or suspicious processes,
00:03
collecting that volatile data
00:03
may be of very much importance.
00:03
However, if we have other types of cases,
00:03
where we suspect there may be
00:03
an authorized images, documents, videos,
00:03
determining user activity or registry information,
00:03
non-volatile data may be more important to collect.
00:03
Identifying what requirements you
00:03
have and what will answer them.
00:03
Figuring out what you need to get and how good
00:03
it should be important
00:03
when you're looking at doing that triage.
00:03
Are you looking for running processes,
00:03
listening ports, filers, registry keys,
00:03
network connections, essentially attend to find
00:03
your requirement and then going out and trying to find
00:03
the data that's going to answer that requirement.
00:03
Then lastly, after you've
00:03
identified what you need to get,
00:03
how are you going to get it?
00:03
What tools or techniques do you need
00:03
to use to get the information you need?
00:03
You can use FTK, Encase,
00:03
Volatility, Redline, DumpIT, COFEE,
00:03
Helix, Mac Marshall, Memoryze,
00:03
Raptor, Sysinternals Suite, Access Data Triage.
00:03
There are literally hundreds of tools out there to
00:03
use to acquire data and to analyze data.
00:03
Having a broad familiarity
00:03
with a lot of tools and knowing
00:03
how to use them will help
00:03
you in your forensic investigation.
00:03
After you have conducted that basic triage
00:03
of the system and you have
00:03
collected all of the on-screen data,
00:03
it is then time for the imaging process.
00:03
There are different types of images.
00:03
What we're going to use is we want
00:03
a forensic image so that is going to be
00:03
a file that includes a bit for
00:03
bit copy of specified data.
00:03
The types of files that you will see are E01 files,
00:03
Ex01 files, AD1 files,
00:03
and then the.001 raw files.
00:03
Then there are different types of
00:03
images so you will have a physical image,
00:03
which is a bit for bit copy of
00:03
a single physical storage device that
00:03
is more than likely going to be your best evidence.
00:03
However, you also have a logical image and that is one
00:03
can be a bit for bit copy of one or more partitions.
00:03
Regardless, if the partitions had
00:03
been formatted with a file system,
00:03
a logical image you're generally going to
00:03
collect from a system that is
00:03
powered on and you would collect that if you
00:03
feel that you cannot get a
00:03
>> physical image of the system,
00:03
>> or the physical image of the system you might
00:03
get would be useless for say,
00:03
if it had some type of
00:03
encryption on the system and you were not
00:03
able to obtain the unlock keys.
00:03
In the last type of image is a targeted image,
00:03
and that is going to be a bit for bit copy of
00:03
a specified target data,
00:03
usually a file or folder.
00:03
That will also be considered a logical image.
Up Next