1 00:00:06,940 --> 00:00:08,470 - [Instructor] Chain of custody is critical 2 00:00:08,470 --> 00:00:10,533 to forensics investigations. 3 00:00:12,290 --> 00:00:16,140 It is the way you document and preserve evidence 4 00:00:16,140 --> 00:00:18,040 from the time that you started 5 00:00:18,040 --> 00:00:20,500 the cyber forensics investigation 6 00:00:20,500 --> 00:00:23,430 to the time the evidence is presented at court 7 00:00:23,430 --> 00:00:25,400 or to your executives, 8 00:00:25,400 --> 00:00:27,773 in the case of an internal investigation. 9 00:00:29,470 --> 00:00:32,540 It is extremely important to be able to show 10 00:00:32,540 --> 00:00:37,540 clear documentation of how the evidence was collected, 11 00:00:37,740 --> 00:00:41,763 when it was collected, how it was transported, 12 00:00:42,840 --> 00:00:46,813 how it was tracked, how it was stored, 13 00:00:48,980 --> 00:00:53,320 and who had access to the evidence and how it was accessed. 14 00:00:53,320 --> 00:00:56,200 If you fail to maintain a proper chain of custody, 15 00:00:56,200 --> 00:01:00,910 it is likely you cannot use that evidence in court. 16 00:01:00,910 --> 00:01:05,720 It is also important to know how to dispose of evidence 17 00:01:05,720 --> 00:01:07,373 after an investigation. 18 00:01:09,940 --> 00:01:12,200 Maintaining the data integrity 19 00:01:12,200 --> 00:01:17,200 is also a very important piece of the process. 20 00:01:18,130 --> 00:01:21,980 When you collect evidence, you must protect its integrity. 21 00:01:21,980 --> 00:01:25,440 This involves making sure that nothing is added 22 00:01:25,440 --> 00:01:29,633 to the evidence and that nothing is deleted or destroyed. 23 00:01:30,610 --> 00:01:33,603 This is known as evidence preservation. 24 00:01:35,250 --> 00:01:38,420 A method often used for evidence preservation 25 00:01:38,420 --> 00:01:41,510 is to only work with a copy of the evidence. 26 00:01:41,510 --> 00:01:42,670 In other words, 27 00:01:42,670 --> 00:01:45,600 not directly working with the evidence itself. 28 00:01:45,600 --> 00:01:50,050 This involves creating an image of a hard drive 29 00:01:50,050 --> 00:01:52,503 or any storage device. 30 00:01:53,400 --> 00:01:56,623 Several forensics tools are available on the market, 31 00:01:57,940 --> 00:02:00,580 such as Guidance Software's EnCase 32 00:02:00,580 --> 00:02:03,073 and Access Data's Forensic Toolkit. 33 00:02:04,290 --> 00:02:07,630 There are several open source tools and Linux distributions 34 00:02:07,630 --> 00:02:10,670 that can be used for digital forensics. 35 00:02:10,670 --> 00:02:15,053 Examples include Security Onion, CAINE, SIFT and others. 36 00:02:16,760 --> 00:02:20,550 Another methodology used in evidence preservation 37 00:02:20,550 --> 00:02:23,260 is to use right protected storage devices. 38 00:02:23,260 --> 00:02:26,610 In other words, the storage device you are investigating 39 00:02:26,610 --> 00:02:30,450 should immediately be right protected before it is imaged, 40 00:02:30,450 --> 00:02:34,330 and should be labeled to include the following; 41 00:02:34,330 --> 00:02:39,330 investigator's name, the date when the image was created, 42 00:02:39,670 --> 00:02:42,943 and the case name or number, if applicable. 43 00:02:43,920 --> 00:02:46,990 Additionally, you must prevent electronic static 44 00:02:46,990 --> 00:02:50,700 or other discharge from damaging 45 00:02:50,700 --> 00:02:53,250 or erasing evidentiary data. 46 00:02:53,250 --> 00:02:56,990 Special evidence bags that are anti-static should be used 47 00:02:56,990 --> 00:02:59,610 to store digital devices. 48 00:02:59,610 --> 00:03:03,910 It's very important that you prevent electrostatic discharge 49 00:03:03,910 --> 00:03:08,810 and other electrical discharges from damaging your evidence. 50 00:03:08,810 --> 00:03:12,230 Some organizations even have cyber forensics labs 51 00:03:12,230 --> 00:03:13,530 that control access 52 00:03:13,530 --> 00:03:18,280 to only authorized users and investigators. 53 00:03:18,280 --> 00:03:21,570 One method often used involves constructing 54 00:03:21,570 --> 00:03:23,493 what is called a Faraday cage. 55 00:03:24,390 --> 00:03:27,460 This cage is often built out of a mesh 56 00:03:27,460 --> 00:03:32,140 of conducting material that prevents electromagnetic energy 57 00:03:32,140 --> 00:03:36,350 from entering into or escaping from the cage. 58 00:03:36,350 --> 00:03:40,210 Also, this prevents devices from communicating 59 00:03:40,210 --> 00:03:42,993 via Wi-Fi or cellular signals. 60 00:03:46,550 --> 00:03:49,540 Transporting the evidence to the forensics lab 61 00:03:49,540 --> 00:03:52,570 or any other place including the courthouse, 62 00:03:52,570 --> 00:03:55,090 has to be done very carefully. 63 00:03:55,090 --> 00:03:58,110 It is critical that the chain of custody 64 00:03:58,110 --> 00:04:01,040 be maintained during this transport. 65 00:04:01,040 --> 00:04:02,610 When you transport the evidence, 66 00:04:02,610 --> 00:04:06,360 you should secure it in a lockable container. 67 00:04:06,360 --> 00:04:09,790 It is also recommended that the responsible person 68 00:04:09,790 --> 00:04:11,840 stay with the evidence at all times 69 00:04:11,840 --> 00:04:13,483 during the transportation. 70 00:04:15,170 --> 00:04:18,550 Computer memory is any physical device capable 71 00:04:18,550 --> 00:04:22,160 of storing information in a temporary or permanent state. 72 00:04:22,160 --> 00:04:25,100 Memory can be volatile or non-volatile. 73 00:04:25,100 --> 00:04:28,810 Volatile memory is memory that loses its contents 74 00:04:28,810 --> 00:04:32,570 when the computer or hardware storage device loses power. 75 00:04:32,570 --> 00:04:36,460 RAM is an example of volatile memory. 76 00:04:36,460 --> 00:04:39,160 That's why you never hear people say 77 00:04:39,160 --> 00:04:41,660 they are saving something to RAM. 78 00:04:41,660 --> 00:04:44,483 It's designed for application performance. 79 00:04:45,650 --> 00:04:48,620 You might be thinking that there isn't a lot of value 80 00:04:48,620 --> 00:04:50,140 for the data stored in RAM. 81 00:04:50,140 --> 00:04:53,540 However, from a digital forensics viewpoint, 82 00:04:53,540 --> 00:04:57,580 the following data can be obtained by investigating RAM; 83 00:04:57,580 --> 00:05:01,520 such as running processes, who's logged in, 84 00:05:01,520 --> 00:05:05,410 passwords and clear text, unencrypted data, 85 00:05:05,410 --> 00:05:08,980 instant messages, registry information, 86 00:05:08,980 --> 00:05:12,583 executed console commands, attached devices, 87 00:05:13,450 --> 00:05:16,653 open ports, listening applications. 88 00:05:17,980 --> 00:05:21,420 Non-volatile memory and VRAM on the other hand, 89 00:05:21,420 --> 00:05:25,320 holds data with or without power. 90 00:05:25,320 --> 00:05:29,133 EPROM would be an example of non-volatile memory.