00:03
>> The next part of preserving evidence is
00:03
capturing the data that is on
00:03
the screen as you see it when you arrive on the scene.
00:03
One of the first things that you're going to
00:03
look for are open files.
00:03
The open files can be saved using the Save As function,
00:03
to a forensically wiped thumb drive
00:03
or external storage device.
00:03
Again, we've talked about we will
00:03
show you in the hands-on portion how to
00:03
forensically wipe a thumb drive and
00:03
prepare it for your evidence collection.
00:03
That being said, collecting those open files,
00:03
they should be completed after you'd have
00:03
collected that volatile data,
00:03
just to ensure that you're not
00:03
changing the state of the system.
00:03
Then also keep in mind,
00:03
that inserting a thumb drive will record information
00:03
about that device onto your victim machine.
00:03
The next piece of on-screen data that you
00:03
want to look for is wanted to be the taskbar.
00:03
It's going to show most of
00:03
the programs running on the computer.
00:03
That will be down the very
00:03
right-hand bottom corner of your screen.
00:03
The next process you're going to look for open windows.
00:03
Some programs they can run on the desktop,
00:03
they're not going to show up in the taskbar.
00:03
Just like open files,
00:03
being able to peruse through the window and
00:03
see what is there and what's not there,
00:03
and then taking a photograph of
00:03
any type of open window that you may have.
00:03
Particularly if they've go onto some various websites,
00:03
you may be able to save that
00:03
>> website to your thumb drive,
00:03
>> and also taking a picture of the website will not hurt.
00:03
Then the system tray programs can be
00:03
hidden in that location,
00:03
gadgets and sidebar on your fill-up
00:03
relatively recently, recent Windows systems,
00:03
you'll see some gadgets,
00:03
sometimes in sidebars on
00:03
the right-hand side of the computer.
00:03
Then lastly, recording the systems date and time,
00:03
which you'll see down in
00:03
below the bottom right-hand corner of your screen.
00:03
If you have a system that is
00:03
>> powered off and you need to
00:03
>> obtain the system date and time,
00:03
you can go through the BIOS in order to do that.
00:03
Essentially you would be photographing
00:03
the interior and exterior of that system,
00:03
and then you would power on
00:03
the system and enter the setup mode.
00:03
Then if you don't know how to do that,
00:03
you can follow the on-screen instructions that are
00:03
presented during that menu or you
00:03
can use Google on your forensic machine to
00:03
try and figure out which
00:03
>> key that you're going to press.
00:03
>> It could be the Escape key,
00:03
the pretty common keys,
00:03
in order to help get you into that setup mode.
00:03
From that setup mode,
00:03
you can then find that system date and
00:03
time information and then power down the system.
00:03
That being said, if you're not able to stop
00:03
the system before it goes past that boot mode,
00:03
you'll want to immediately power down
00:03
that system by doing a hard power down,
00:03
you would not want the system to begin to
00:03
load the operating system so
00:03
that it's just a consideration.
00:03
The next you'll want to notate
00:03
the configuration of hard drives of the system,
00:03
document each setting for
00:03
the device out of tech use refined or non.
00:03
Then for use refined setting,
00:03
you're going to want to record
00:03
all settings to include cylinders heads,
00:03
pre-comp and logical block addressing.
00:03
All of that information should be
00:03
contained within that setup menu.
00:03
Moving on from there,
00:03
we have to essentially conduct a triage of the data,
00:03
once we become on seeing.
00:03
That being said, when we get there,
00:03
we have to know what
00:03
>> information that we're looking for.
00:03
>> When we're processing information,
00:03
if we have certain types of
00:03
incidents such as malware, suspicious ports,
00:03
remote users or suspicious processes,
00:03
collecting that volatile data
00:03
may be of very much importance.
00:03
However, if we have other types of cases,
00:03
where we suspect there may be
00:03
an authorized images, documents, videos,
00:03
determining user activity or registry information,
00:03
non-volatile data may be more important to collect.
00:03
Identifying what requirements you
00:03
have and what will answer them.
00:03
Figuring out what you need to get and how good
00:03
it should be important
00:03
when you're looking at doing that triage.
00:03
Are you looking for running processes,
00:03
listening ports, filers, registry keys,
00:03
network connections, essentially attend to find
00:03
your requirement and then going out and trying to find
00:03
the data that's going to answer that requirement.
00:03
Then lastly, after you've
00:03
identified what you need to get,
00:03
how are you going to get it?
00:03
What tools or techniques do you need
00:03
to use to get the information you need?
00:03
You can use FTK, Encase,
00:03
Volatility, Redline, DumpIT, COFEE,
00:03
Helix, Mac Marshall, Memoryze,
00:03
Raptor, Sysinternals Suite, Access Data Triage.
00:03
There are literally hundreds of tools out there to
00:03
use to acquire data and to analyze data.
00:03
Having a broad familiarity
00:03
with a lot of tools and knowing
00:03
how to use them will help
00:03
you in your forensic investigation.
00:03
After you have conducted that basic triage
00:03
of the system and you have
00:03
collected all of the on-screen data,
00:03
it is then time for the imaging process.
00:03
There are different types of images.
00:03
What we're going to use is we want
00:03
a forensic image so that is going to be
00:03
a file that includes a bit for
00:03
bit copy of specified data.
00:03
The types of files that you will see are E01 files,
00:03
Ex01 files, AD1 files,
00:03
and then the.001 raw files.
00:03
Then there are different types of
00:03
images so you will have a physical image,
00:03
which is a bit for bit copy of
00:03
a single physical storage device that
00:03
is more than likely going to be your best evidence.
00:03
However, you also have a logical image and that is one
00:03
can be a bit for bit copy of one or more partitions.
00:03
Regardless, if the partitions had
00:03
been formatted with a file system,
00:03
a logical image you're generally going to
00:03
collect from a system that is
00:03
powered on and you would collect that if you
00:03
feel that you cannot get a
00:03
>> physical image of the system,
00:03
>> or the physical image of the system you might
00:03
get would be useless for say,
00:03
if it had some type of
00:03
encryption on the system and you were not
00:03
able to obtain the unlock keys.
00:03
In the last type of image is a targeted image,
00:03
and that is going to be a bit for bit copy of
00:03
a specified target data,
00:03
usually a file or folder.
00:03
That will also be considered a logical image.