00:03
>> Moving on from our trusted tools
00:03
after we have our toolkit gathered up,
00:03
we can use other programs
00:03
essentially to capture volatile memory.
00:03
The trusted toolkit will help us gather
00:03
information about that system,
00:03
that command prompt level.
00:03
But if we want to automate this process or capture
00:03
the entire volatile memory,
00:03
we can use FTK imager,
00:03
we can use a DumpIT, or we can use Mandiant Redline.
00:03
With any of those programs that will
00:03
essentially grab all of that volatile memory,
00:03
all of that ramp, and then put that out to
00:03
a file system where you can analyze that.
00:03
We'll go over that in-depth
00:03
in the handling portion as well.
00:03
Remember though the best practice in capturing
00:03
this volatile memory is to use removable media with
00:03
installed software to avoid adding
00:03
files to the system that can overwrite data.
00:03
Then the Disk Encryption process after you've
00:03
collected the volatile data,
00:03
if you believe that the system
00:03
>> may have BitLocker on it,
00:03
>> which if your system is
00:03
>> running Microsoft Windows Vista or later editions,
00:03
>> then it is highly likely that at least
00:03
has the ability to have BitLocker on it.
00:03
If you're not familiar with
00:03
what type of operating system that you've discovered,
00:03
you can open up a command prompt from
00:03
your trusted toolkit and type in Winver,
00:03
and that will give you the operating system.
00:03
If you believe that the system does have BitLocker,
00:03
you can type in the following command
00:03
of the manage-bde.exe -status.
00:03
That will show you BitLocker isn't able on the system.
00:03
If BitLocker is enabled,
00:03
you can type in the preceding command of the
00:03
manage-bde.exe -protectors -get.
00:03
That will provide you the recovery password.
00:03
Then once you get that recovery password,
00:03
you're going to want to save that to
00:03
some type of Notepad document onto
00:03
your forensically wiped thumb drive or hard drive.
00:03
That way you will have those encryption keys.
00:03
You can go ahead and get
00:03
that physical image of
00:03
the device and that you'll be able
00:03
to get into it and it will be useful.
00:03
The next step is going to be creating
00:03
the physical image of your system's hard drive.
00:03
There are both software and hardware
00:03
imaging tools and imaging allows investigator,
00:03
again, to work with that exact copy of
00:03
the evidence without altering the original.
00:03
Any type of media that you find seeing via
00:03
a thumb drive or a computer system,
00:03
you can and should get a forensic image of those.
00:03
Then in our hands-on portion,
00:03
we will demonstrate how to collect
00:03
the physical image of the USB thumb drive.
00:03
Then guided software produces
00:03
some very high-quality hardware imaging devices where
00:03
an operating system or a computer to collect an image,
00:03
you can simply attach whatever device
00:03
you have and hit a button and it will
00:03
send a bit for bit copy of the data on that system to
00:03
your forensically wiped storage media.
00:03
a great software imager and it can be downloaded
00:03
free from the access data website.
00:03
We're going to cover both the FTK Imager and
00:03
the Encase forensic imager in the hands-on portion.
00:03
Moving on from the imaging,
00:03
we can then go to look at some of
00:03
the analysis of the data.
00:03
There are several programs that can assist you and
00:03
the investigator in analyzing volatile memory.
00:03
Some of the most popular programs
00:03
for analyzing that data include
00:03
the program of volatility
00:03
>> and then the Mandiant Redline.
00:03
>> The cool thing about red line is that it is actually
00:03
an acquisition program and analysis program and one.
00:03
We'll cover the Redline program a little bit in
00:03
our hands-on portion and explore some of
00:03
the functionality of Redline.
00:03
However, after we captured
00:03
our data and we have it on our forensic device,
00:03
the next thing to do is analyze the data.
00:03
Once you have the data, what do you do with it?
00:03
Investigators need to examine the data for evidence or
00:03
indicators of activity that
00:03
they believe may have happened.
00:03
Depending on your case,
00:03
you're going to want to start
00:03
searching through various portions of
00:03
determine or rule out that activity occurred.
00:03
However, before beginning to do this search,
00:03
you're going to want to have an idea
00:03
>> of what you're looking for
00:03
>> and where it may be stored within that data.
00:03
>> Again, if you're imaging a two-terabyte hard drive
00:03
or you have numerous hard drives,
00:03
searching through those images
00:03
could be time-consuming and cumbersome.
00:03
Having an idea of what to look for and
00:03
where to look for is very important.
00:03
Also, there are numerous forensic analysis programs
00:03
that can help you to examine some of that data.
00:03
FTK, Encase, OSForensics, Autopsy.
00:03
Those are some good programs that you can use.
00:03
There are others out there.
00:03
You could just Google them.
00:03
Again, don't get married to just
00:03
using one type of analysis program.
00:03
It's good to know several of these,
00:03
just because the user interfaces of them are different.
00:03
Some of them provide different outputs
00:03
and make the data easier to digest.
00:03
Keep at least two of these in your toolkit for use.
00:03
For what we're going to talk about
00:03
in the hands-on portion,
00:03
we're going to use Autopsy.
00:03
An Autopsy is a powerful free tool
00:03
>> for forensic investigators.
00:03
>> Then we'll go into a little bit of how to
00:03
use autopsy in that hands-on portion.
00:03
Then lastly, after we have
00:03
conducted the analysis portion week,
00:03
we're going to get into the reporting portion.
00:03
The reporting portion,
00:03
there is essentially going to be two types of reports.
00:03
It's going to be your technical report,
00:03
which details every [inaudible] that you
00:03
have in a very high level text
00:03
speak that other forensic investigators
00:03
and technically savvy people are
00:03
going to be able to understand.
00:03
The other type of report that you're going to have
00:03
is going to be your investigative report.
00:03
That's going to be something that
00:03
a non-technical person can understand.
00:03
A very cursory repetition of the who,
00:03
what, when, where, why, and how.
00:03
With each of those reports though,
00:03
you should begin with a brief executive summary.
00:03
Bottom line upfront.
00:03
This is what happened. This is what I found.
00:03
>> Everything in your report should be
00:03
>> listed in a series and/or a timeline
00:03
>> in some type of logical order.
00:03
>> If you're investigating, for instance,
00:03
malicious insider threat,
00:03
Mr. Smith budge in at the building at 7:05.
00:03
I was able to determine Mr. Smith
00:03
log into his system at this time.
00:03
Mr. Smith conducted this activity at this time.
00:03
He then did this at this time.
00:03
He budged out of the building at this time.
00:03
All of that timeline helps to, one,
00:03
make it easy for the reader to understand but it
00:03
also helps to tie your suspect or
00:03
your event to that particular computer
00:03
that you have been investigating.
00:03
That timeline, again, it's very important.
00:03
Then your technical reports should include
00:03
all the software and
00:03
the versions found on the victim machine.
00:03
It should also include all the
00:03
>> software and systems that
00:03
>> were used by the investigator
00:03
>> during your investigation.
00:03
>> If you use Microsoft Word to take notes
00:03
do your investigation and they
00:03
use FTK Imager to take an image of something,
00:03
all of those things should
00:03
be listed in that technical report.
00:03
Then lastly, in that report,
00:03
you want to stick with the facts.
00:03
A repetition of Joe Friday,
00:03
just the facts, ma'am.
00:03
No conjectures in your investigative report.
00:03
Your job as a forensic investigator is to
00:03
essentially stick with those facts
00:03
and just the facts and then the lawyers,
00:03
the attorneys, the administrators,
00:03
they can come up with whatever
00:03
>> conjecture that they want.
00:03
>> This will conclude the more or less
00:03
the lecture portion of
00:03
forensics and support of incident response.
00:03
We covered a lot of material.
00:03
we covered the preparation phase of how to
00:03
get ready to respond to that incident.
00:03
We talked about how to sanitize and wipe our media.
00:03
We've talked about what items should be
00:03
listed and included in our toolkit.
00:03
We talked about note-taking.
00:03
Then we talked about the preservation phase
00:03
of the investigation,
00:03
how to identify essentially destructive activity,
00:03
how to stop disrupting activity.
00:03
Then from there, we talked about
00:03
>> essentially starting to
00:03
>> collect some data going through
00:03
>> and identifying on-screen data.
00:03
>> Finding, collecting that [inaudible] information,
00:03
gathering the BitLocker encryption keys,
00:03
and then gathering forensically
00:03
imaging some of the devices that we found,
00:03
thumb drives, taking an image of the hard drive system.
00:03
Then we talked about some of the analyses and
00:03
the ways and programs that we can
00:03
use to do our forensic analysis.
00:03
Then lastly, we talked about reporting.
00:03
Know that's a lot of information,
00:03
especially some of this is very technical
00:03
>> and you're going to want to see this hands-on.
00:03
look at the next video and we'll go into some of
00:03
these forensic techniques and
00:03
show you how some of these are done.
00:03
Again, it'll be a very cursory, very short video,
00:03
>> it won't be completely in-depth of how to
00:03
>> do 100 percent forensic investigation,
00:03
but it will help explain some of
00:03
the topics that we discussed in today's lecture.
00:03
Thank you. I hope you enjoyed the video.
00:03
Come back to Cybrary again for more exciting classes.