Time
8 hours 6 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers imaging concepts. Forensic imaging is used to preserve the evidence in it's original form by creating an exact duplicate. When creating this image, be sure to consider the size of the media, number of devices and the access to the media. When collecting data; take the following steps: · Wipe media · Decide on a logical vs physical wipe · Media Acquisition Use Write blockers

Video Transcription

00:04
So imaging concepts forensic imaging is conducted to preserve the integrity of the original evidence by creating an exact duplicate.
00:11
And pretty cool thing about digital forensics separates it from a lot of the other forensics fields
00:20
is that when we conduct our investigations, we essentially preserve evidence on we preserved a lot better than some of the other forensic sciences. For instance, if you have someone who is conducting an autopsy of a cadaver and they remove certain
00:37
portions of the cadaver and they're doing their scientific test,
00:41
they are in fact destroying that evidence that they have. Whereas in the digital forensics realm, we're making an exact copy. And then all of the investigation that we're doing is with that copy, and we believe the original evidence intact.
00:58
So therefore, when making these copies, it is important to consider the size of the media being image, number of devices and the access to the media. So obviously, if we're going to image a 500 gigabyte hard drive,
01:15
we need to have at least a 500 gigabyte hard drive
01:19
to image art attitude.
01:21
Also, keep in mind that we're going to want to use some type of forensic right blocker to protect the evidence against alteration during imaging process. And those right blockers can either be software in or hardware based
01:37
right waters.
01:38
And then, lastly, the integrity of the images should be validated through action and then matching the hash values from the original evidence to the forensic image that we created
01:52
verified that those images are identical. And then when we image this thumb drive that I have during our hands on portion, you'll see that the image that is created on our forensic media is going to be an exact duplicate
02:12
of the information that was contained on that
02:15
thumb drive.
02:15
And the way we were able to ascertain that is that the MD five hash is due in fact, match.
02:25
Uh, the first thing, however, that we want to do when we,
02:30
uh,
02:31
start to collecting data is to ensure that we have forensically wipe the media. Now. This should be conducted during our preservation face, but we'll go ahead and cover it again here,
02:46
so wiping the media ensures every bit of data on that device that we have is his wife with a predetermined are unknown value.
02:58
I generally used ze rubs and the the in case imager will let you change whatever Hexi decimal value would like to overwrite that that device with
03:09
on. Then you can check it using some type of hex editor to see that that dad isn't has in fact been white.
03:16
And then wiping will allow the investigator to sanitize the media to ensure no data is left on the device. Keep in mind, though, it is not leading to death.
03:28
Leading the data essentially still leaves the data on the device. Just says that that space is open to be written to
03:36
wiping the media eliminates any possibility of cross contamination because it overwrites every bit
03:43
of that device with your predetermined values.
03:46
Also, keep in mind formatting your device does not delete the data, but there are no links to view the files larger.
03:53
So conducting that forensic white is going to be great importance, especially if you're gonna go to court
04:00
because on attorney could ask, How do you know that my client did have this bad image on his computer because it could have been on your media when you collected the data from my client's computer system?
04:19
And of course, your retort to that would be No, there's no way that it was going to be on my forensically white media because I used this process where I take my media and I wipe it,
04:30
uh, with zeros using the in case forensic imager, and that ensures that there are no data left on my forensic meeting.
04:42
So again, if you're going to go to court, this process is going to be very important. However, even if you're not going to court having a clean piece of media and then inserting that into forensic viewer, your forensic analyst program just
04:59
helps to ensure the integrity of that data
05:02
and that you're not cross content.
05:06
So we'll talk about your logical versus a physical wife. Logical White completely eliminates files or logical volumes and
05:15
may be able to override all the sectors that are considered analogue created space. However, it does not wiped partition space such as partition tables are Valium boot records.
05:26
Ah, physical wipe of the system, which is what we generally try to do every single time overwrites the entire physical disc, all drives all petitions, all volumes, files and slack space. Bottom line, everything's gone.
05:43
Once wiping is complete. Verify the White by using a disc editor, Hex editor and I will show you again during the handle on portion how to do that and how to look through that device and ensure that it hasn't been wiped with zeros.
06:03
After you have that forensically clean media that white media, The next process is to actually conduct the acquisition of death.
06:14
So
06:15
acquisition of media will include any type of store electronic storage device capable of retaining that.
06:23
So that could include hard drives, tapes, optical media, thumb drives, external hard drive servers, etcetera.
06:30
If they can hold data,
06:31
uh, then you should be able to figure out how to acquire the data from that media.
06:39
However, before we're moving there any interacting with any acquired media, investigators should photograph and document the location
06:46
that the media is discovered in and indicate the type of media that you have discovered in your notes. So, like we talked about the very pedantic, very specific way of recording, I have found a too big a bite or a sand s cruiser titanium thumb drive with serial number
07:05
A B C. 123
07:08
and then I have taken a picture of it and it is included in my notes.
07:13
And then keep in mind that the media should not be altered in any way and ensure that the media is not altered by using that light blocking device. Once you go, thio, acquire the data from it. So speaking of right blockers, a right blocker
07:30
is a piece of software or hardware that prevents data from being written
07:34
to your discovered storage media.
07:39
So many forensic software providers also make your right blocker to accompany their products. So
07:46
I know there's one the taboo right blockers. They are good.
07:51
Ah, hardware right blocker that sits in line with any type of discovered media and your
07:58
forensically playing media.
08:01
There are about 4 $500 on up, depending on which model you select. For the purposes of this,
08:09
this course in for our discussion, we're going to be using a free software right locker that you didn't get Source Forge, which is going to be the USB right blocker for all windows, and you can go to the source forge link
08:22
to download
08:24
the right blocker.
08:28
Also, keep in mind that you want to have a set of trusted tools as you're going about doing forensic investigation,
08:39
and some of the tools that we've talked about are going to talk about are going to be or imaging programs such as the F T K imager or the In Case Imager.
08:50
We'll also discuss a little bit of Mandy. It's red line.
08:56
However, it's also important to have essentially Cem command line tools that you can run on a system
09:03
when you do find system.
09:05
You may or may not know what has happened to that system,
09:11
depending on,
09:13
um,
09:15
who touched the system and what type of investigation that you're doing.
09:20
That being said, you'll want to have certain command functions on your trusted Tulis, such as your command prompt
09:28
and some of the command such a PS list P s log on. I peek and fig
09:33
your net stats P s. And you'll wanna have all of those potential commands loaded onto your trusted tool kit. I love mine onto a removable are portable USB device,
09:50
and that way, when you find your victim's system, you can run all of your
09:56
commands from your device and not have to rely on,
10:01
uh, the
10:03
commands from more victim machine
10:05
so those were just a small this
10:07
of some of the trusted tools that you're gonna want to create have available. When we get into the hands on portion, I will show you a larger list of trusted tools that I have on my
10:20
my thumb drive, and you can download some of tools that you think that you're going to need or want in more forensic investigations.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor