Forensic Investigations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Welcome back. There are times when we look at
00:00
an incident and we realize that
00:00
there was potentially a crime involved.
00:00
At that point, we have to shift
00:00
over to forensic investigations.
00:00
That is going to involve collecting and preserving
00:00
evidence in such a manner
00:00
that would be admissible in a court of law.
00:00
Now, not all incidents require forensics, but some do.
00:00
As part of our incident response plan and policy,
00:00
we have to know when to escalate an incident.
00:00
Now, there are seven steps in
00:00
the forensics investigation process,
00:00
and you need to make sure you
00:00
know the flow of these steps
00:00
for the test and what happens with each one.
00:00
One, identification two, preservation three,
00:00
collection four, examination,
00:00
five analysis, six,
00:00
presentation and seven decision.
00:00
Let's talk about these steps a bit more.
00:00
The first stage is identifying
00:00
that something is evidence.
00:00
Now, Locard's principle of
00:00
exchange says that when a crime is committed,
00:00
the attacker takes something
00:00
>> and leaves something behind.
00:00
>> What they leave behind can help
00:00
us identify aspects of them.
00:00
It could be fingerprints, digital signatures,
00:00
or it could be knowledge of information that suggests
00:00
who the attacker is or what their motivations were.
00:00
The next step is to preserve the evidence.
00:00
The most important job of
00:00
a first responder is preserve evidence.
00:00
We have to make sure it's collected in
00:00
a forensically sound manner and that there has
00:00
been no modification as part of the collection.
00:00
As soon as we identify that something is evidence,
00:00
we go right into preservation.
00:00
This is where we create the document
00:00
of the chain of custody.
00:00
This particular document is really
00:00
important and definitely could be on the test.
00:00
The chain of custody documents,
00:00
how evidence was collected,
00:00
how it was analyzed,
00:00
how it's transported, and how it was preserved.
00:00
We don't want anyone to be able to call into question
00:00
the preservation or integrity of the evidence.
00:00
Digital evidence can be manipulated so easily.
00:00
We want to make sure that the evidence is accounted
00:00
for and that there are no gaps in time.
00:00
Any documentation should always
00:00
include time offsets because it can
00:00
simply be a matter of minutes or seconds that
00:00
make the difference in the evidence being admissible.
00:00
Hashing algorithms are used to show the integrity of
00:00
the evidence and that the evidence has not been
00:00
modified during the investigation process.
00:00
Now the next phase is collection.
00:00
You want to minimize handling
00:00
and touching of the evidence.
00:00
Make sure you're not working on original drives.
00:00
When it comes to collecting the evidence
00:00
and then analyzing the evidence,
00:00
you want to make sure that you take a system image.
00:00
You don't ever want to work on
00:00
an original document or file,
00:00
you always want to copy.
00:00
You'll hash the original and hash
00:00
the copy that you're doing the investigation on.
00:00
We also have to work fast because
00:00
a lot of digital evidence is very volatile.
00:00
Something you need to know for the exam,
00:00
is that you need to collect from
00:00
the most volatile items
00:00
first and then the least volatile.
00:00
This means to work in this order.
00:00
CPU registers, Cache,
00:00
routing table, ARP cache,
00:00
process tables, RAM,
00:00
paging file and other temporary filing systems.
00:00
The paging file could also be called the swap
00:00
file and set aside on a hard drive
00:00
to act like an RAM in the event that
00:00
the systems need more RAM than available.
00:00
Hard-drive, remote logs and
00:00
monitoring data, and archive media.
00:00
Be prepared for a question that
00:00
might involve a drag and drop above
00:00
the above list and put it in
00:00
the correct order of most volatile first.
00:00
Examination gives you data,
00:00
analysis gives you information.
00:00
When I examine a disk for instance,
00:00
and remember, I would be working
00:00
from a copy of the disk, not the original.
00:00
I'm looking for data, I'm
00:00
recording what I see and documenting the facts.
00:00
But when I get to the analysis I take the data that
00:00
I've recorded and I look to get a larger picture.
00:00
I'm going to put the facts and the context.
00:00
Soon I'd put data through analysis and get information.
00:00
Once you've done your analysis
00:00
and you have your information,
00:00
you would then take it and
00:00
>> present the evidence in court.
00:00
>> You want to make sure that all these steps have been
00:00
performed in a forensically sound manner,
00:00
so when you present the evidence in court,
00:00
a judge will rule it to be admissible.
00:00
As a quick review,
00:00
when an event has a negative impact on the system,
00:00
then that event becomes an incident,
00:00
and how we respond to that event
00:00
is going to make or break us.
00:00
Just to review the incident response process.
00:00
It is preparation, identification,
00:00
containment, eradication,
00:00
and recovery, and then lessons learned.
00:00
Now, once an incident appears to
00:00
have criminal intent or criminal elements,
00:00
we then move into forensics,
00:00
where we follow the seven-step process of
00:00
forensic investigation: identification,
00:00
preservation, collection, examination,
00:00
analysis, presentation, and decision.
00:00
I want to stress that this is a very
00:00
high-level overview of this topic.
00:00
You can get more in-depth coverage
00:00
of forensics in another course.
Up Next