Time
8 hours 6 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

This lesson covers volatile memory capture. There are numerous programs to accomplish this; some of the well-known ones are: · FTK Imager · DumpIT · Mandiant Redline The best practice is to use removable media with installed software, which captures virtual memory while not adding files which causes valuable data to be overwritten. After the data is collected; the following takes place: · Disk encryption · Forensic imagining · Volatile memory analysis · Analysis of data Reporting

Video Transcription

00:03
so moving on from our trusted tools after we have our tool kit gathered up,
00:09
um, we can use other programs essentially to capture volatile on them.
00:16
Eso trusted tool kit will help us gather information about that system that command prompt level. But if we wanna ought to make this process of capture the entire volatile memory, we can use empty K imager
00:34
within you to dump it. Or we can use Mandiant rabble.
00:38
So with any of those programs,
00:42
essentially grab all of that volatile memory, all of that ramp, and then put that out to a file system where you can analyze that will go over that in depth in the hands of fortune. Well,
00:54
remember that the best practice on capturing this volatile memory is to use removable media with installed software to avoid adding files to the system that can overwrite data
01:08
and then the disc encryption process. After you've collected the volatile data. If you believe that the system may have been a locker on it, which if your system is running Microsoft Windows, Mr this tow or later additions,
01:27
then it is highly likely that at least has the ability to have
01:34
bit locker on it.
01:34
So if you're not familiar with
01:38
what type of operating system that you've discovered,
01:42
you can open up a command prompt from your trusted tool kit
01:48
and type in wind vert, and that will give you the operating system.
01:53
If you believe that system does happen, that locker you can type in the file in command of the manage Dasha bt dot in the XY
02:04
space dash status on that will show you a bit. LOCKER isn't able on the system.
02:12
If bit locker isn't able, you can type in the proceeding command of the managed Ashmead E X e
02:20
dash protectors dash get, and that will provide you the recovery password. And then once you get that recovery pass work, they're going to want to save that to some type of note. Pat documents
02:34
onto your
02:37
forensically wiped thumb drive hard drive on. That way you will have those encryption keys so you can go ahead and get that
02:49
physical image of the device and that you'll be able to get into it and it will be useful.
02:55
The next step is going to be creating the physical image of your systems hard drive,
03:05
and there are both software and hardware in the gym, too,
03:07
and imaging allows investigator again toe work with that exact copy of the evidence without altering the original.
03:15
So any type of media that you find seeing via some Dr
03:21
or a computer system you can and should get a forensic image of those.
03:29
And then in our hands on portion, we will demonstrate how to collect a physical image of the USB thumb drive.
03:38
And then guided software produces some very high quality, hard work imaging devices where you do not need an operating system. Our computer to collected images simply attach whatever device you have on hit a button, and it will
03:54
send a bit for bit copy of the data on that system to you forensically white storage medium
04:02
F T K imager is also a great software imager, and it could be downloaded free,
04:08
uh, from the Access Data website, and we're gonna cover both E. F T K imager and the INCASE Forensic imager in the end zone portion.
04:21
So moving on from the imaging, we can then go to look at some of the analysis of the data.
04:28
So there several programs that can assist you and the investigator on analyzing volatile memory. Some of most popular programs for analyzing that data include the program of Volatility and then the Mandy. It's Red Line.
04:46
The cool thing about Red Line is that it is actually
04:50
on acquisition program and analysis program in one
04:56
So and we'll cover the Rat Line
04:59
program a little bit in our hands on portion and explore some of the functionality of red.
05:09
However, after we captured our data and we have it on our forensic device, the next thing to do is
05:16
analyzed to death.
05:18
So once you have the data, what do you do it?
05:21
Investigators need to examine the data for evidence or indicators activity that they believe may have happened.
05:30
So depending on your case, you're going to want to start searching through various portions of your data to help determine rule out activity. Hurt.
05:44
However, before beginning to do this search, you're gonna want to have an idea of what you're looking for, where it may be stored within that data
05:51
again. If you're imaging a two terabyte hard dry are you have numerous hard drives. Searching through
06:01
those
06:02
images could be time consuming and cumbersome
06:08
eso having an idea of what to look for and where to look for it is very important.
06:13
Also, there are numerous forensic analysis programs that can help you to examine some of that data. So f k in case OS forensics autopsies. Those are Cem Cem, good programs that you've been used there, others out there You could just google them,
06:32
uh, again,
06:33
Don't get married to just using one type of analysis program. It's good to know several of these just because the user interfaces of them are different. Some of them provide different outputs on make the data easier to digest. So
06:54
keep
06:54
at least two of these in your tool kit for use for what we're going to talk about in the end zone portion, we're going to use autopsy. An autopsy is a powerful free tool for forensic investigators. And then we'll go into a little bit of how to use autopsy
07:13
in the hands of fortune.
07:16
And then lastly, after we have conducted wth Ian Alice Portion, we're going to get into the forensics portion.
07:27
So are the recording portion. I'm sorry.
07:30
So
07:32
the reporting portion there is essentially going to be two types Of course, I want to be your technical report, which details every flying that you have in a very high level text speak
07:46
that other forensic investigators and technically savvy people are going to be able to understand
07:54
the other type of report that you're going to have this room to be Your investigative report on. That's going to be something that a non technical person can understand. A very cursory, uh, repetition of the who what, When, Where, Why and how.
08:09
With each of those reports that you should begin with a brief executive summary Bottom line up front, this is what happened. This is what I found.
08:22
Everything in your report should be listed in a Siri's and our timeline in some type of logical work. So if you're investigating, for instance, malicious insider threat,
08:37
uh, you know Mr Smith badge in it. The building at 705 I was able to determine Mr Smith logged into his system at this time. Mr. Smith conducted this activity at this time. He then did this at this time. He badged out of the building at this time.
08:56
And all of that timeline
08:58
helps to one make it easy. for the reader to understand that it also
09:05
helps to tie your suspect. Are your event to that particular computer
09:13
that you have been investigating? So that timeline again, it's very important.
09:18
And then your technical reports should include all software and the versions found on the victim machine. It should also include all the software and systems that were used by the investigator during your investigation. So you use Microsoft Word taking that
09:37
you used
09:37
in cakes to do your investigation. Used FBK imager to take an image of something. All of those things should be listed in that technical.
09:52
And then lastly,
09:54
in that report, you want to stick with fax kind of a repetition of Joe Friday. Just the facts, ma'am. No conjectures in your investigative report. Your job is a forensic investigator is to essentially
10:09
stick with those fax and just the fax. And then the lawyers, the attorneys, the administrators, they can come up with whatever conjecture that they want.
10:22
So this will conclude the more or less lecture portion of forensics and support of incident response. We covered a lot of material in this this lecture. We covered the preparation phase of how to get ready
10:41
to respond to that incident.
10:45
We talked about how to
10:46
sanitize and wipe our media when they talked about what items should be delisted included in our tool kit. We talked about note taking.
10:58
Then we talked about the preservation bays of of the investigation have to identify. Essentially destructive activity had stopped destructive activity.
11:09
Then, from there we talked about essentially starting to collect some of that data going through and identifying on spring death finding, collecting that volatile information, gathering wth e bit locker encryption keys and then gathering
11:30
forensically imaging
11:31
some of the devices that we found a thumb drive
11:35
taking an image of the hard drive system. Then we talked about some of the analysis on the ways of programs that we could use to do our forensic analysis. And then lastly, we talked about reporting.
11:48
So no, that's a lot of information, especially some of this is very technical, and you're gonna want to see this hands on. So a CZ we discussed
11:58
Look at the next video and we'll go into some of these forensic techniques and show you have some of these were done again. There will be a very cursory bird short video the completely in depth of how to do 100% forensic investigation That will help explain
12:20
some of the topics that we
12:22
discussed in today's lecture. So thank you. I hope you enjoyed the video. Come back to Cyberia again for more exciting classes.

Up Next

Incident Response & Advanced Forensics

Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. Why do I need this certification? As a part of the Incident Response process, ...

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor