1
00:00:06,680 --> 00:00:10,170
- Cyber Security Forensics
or Digital Forensics

2
00:00:10,170 --> 00:00:12,720
has been a growing interest
among many organizations

3
00:00:12,720 --> 00:00:13,750
and individuals.

4
00:00:13,750 --> 00:00:15,810
And this is due to the large number

5
00:00:15,810 --> 00:00:18,290
of breaches during the
last few years, right? So,

6
00:00:18,290 --> 00:00:21,970
many folks choose digital
forensics as a career path

7
00:00:21,970 --> 00:00:25,920
in law enforcement and corporate
investigations as well.

8
00:00:25,920 --> 00:00:27,500
So, during the last few years

9
00:00:27,500 --> 00:00:30,750
there have been an advent
of many technologies

10
00:00:30,750 --> 00:00:33,730
and forensic processes that are designed

11
00:00:33,730 --> 00:00:35,900
to meet the growing number of cases

12
00:00:35,900 --> 00:00:38,080
relying on digital evidence, right? So,

13
00:00:38,080 --> 00:00:41,830
there's a shortage of well
trained experienced personnel

14
00:00:41,830 --> 00:00:44,700
that are experts in
cyber security forensics.

15
00:00:44,700 --> 00:00:48,380
Cyber security forensics
practitioners are at a crossroads

16
00:00:48,380 --> 00:00:52,440
in terms of changes,
affecting evidence recovery

17
00:00:52,440 --> 00:00:54,740
and also management.

18
00:00:54,740 --> 00:00:56,682
Forensics evidence is actually used

19
00:00:56,682 --> 00:00:59,110
to be brought into courts, right?

20
00:00:59,110 --> 00:01:00,470
The courts of law.

21
00:01:00,470 --> 00:01:02,640
And this is why it is extremely important

22
00:01:02,640 --> 00:01:05,260
for digital forensic experts to collect

23
00:01:05,260 --> 00:01:09,856
and maintain reliable
evidence and a good analysis,

24
00:01:09,856 --> 00:01:13,170
that's actually done of
their findings, right? So,

25
00:01:13,170 --> 00:01:15,160
also there's a huge
increase in cyber crime

26
00:01:15,160 --> 00:01:17,970
that has increased the need for enhanced

27
00:01:17,970 --> 00:01:19,940
information security
management, right? So.

28
00:01:19,940 --> 00:01:22,020
It also requires forensics experts to

29
00:01:22,020 --> 00:01:25,260
help remediate the network
and affect the systems.

30
00:01:25,260 --> 00:01:28,860
And also try to reveal who was
the responsible threat actor.

31
00:01:28,860 --> 00:01:32,290
Right? So, this is actually often called

32
00:01:32,290 --> 00:01:34,000
threat actor attribution.

33
00:01:34,000 --> 00:01:38,270
Now, desktops, laptops,
mobile devices, servers

34
00:01:38,270 --> 00:01:40,280
firewall logs, any type of logs

35
00:01:40,280 --> 00:01:42,160
from networking infrastructure devices,

36
00:01:42,160 --> 00:01:45,330
are rich information of evidentiary.

37
00:01:45,330 --> 00:01:48,080
So, that can be value for evidence

38
00:01:48,080 --> 00:01:50,230
that can assist forensics experts

39
00:01:50,230 --> 00:01:51,690
in reconstructing the attack

40
00:01:51,690 --> 00:01:54,050
and also gaining an understanding

41
00:01:54,050 --> 00:01:57,370
on the threat actor,
responsible for the attack.

42
00:01:57,370 --> 00:02:01,600
There are 3 categories for
cybersecurity investigations.

43
00:02:01,600 --> 00:02:03,710
The first one is public investigations

44
00:02:03,710 --> 00:02:06,320
which is actually
resolving the court of law.

45
00:02:06,320 --> 00:02:09,150
The second one is private investigation

46
00:02:09,150 --> 00:02:13,970
which corporate investigations
is an example of

47
00:02:13,970 --> 00:02:15,720
and then also individual

48
00:02:15,720 --> 00:02:19,800
which is actually often in
the form of e-discovery.

49
00:02:19,800 --> 00:02:22,810
In addition to cyber
crime and cyber attacks,

50
00:02:22,810 --> 00:02:26,700
evidence found on a system
or in a network in this case,

51
00:02:26,700 --> 00:02:28,650
may actually be presented
in a court of law

52
00:02:28,650 --> 00:02:31,950
to support accusations of crime

53
00:02:31,950 --> 00:02:34,070
or civil action, right?

54
00:02:34,070 --> 00:02:35,920
And this is a listing
here that I'm including

55
00:02:35,920 --> 00:02:38,720
but it is actually not limited
to just this, right? So.

56
00:02:38,720 --> 00:02:42,540
Examples of this civil
actions or even crimes

57
00:02:42,540 --> 00:02:46,011
are extortion, domestic violence, fraud.

58
00:02:46,011 --> 00:02:48,830
That includes money laundering and theft

59
00:02:48,830 --> 00:02:52,990
drug related crimes, murder,
and acts of violence,

60
00:02:52,990 --> 00:02:56,560
pedophilia, and cyber stalking,
cyber attacks and terrorism.

61
00:02:56,560 --> 00:02:58,890
And of course the list
goes on around, right? So

62
00:02:58,890 --> 00:03:00,610
Usually criminal investigations

63
00:03:00,610 --> 00:03:03,940
and prosecutions involve
government agencies that work

64
00:03:03,940 --> 00:03:06,970
within the framework of the
criminal law, right? So,

65
00:03:06,970 --> 00:03:10,370
cyber security forensics
practitioners are expected to

66
00:03:10,370 --> 00:03:14,390
provide evidence that may help
the court make their decision

67
00:03:14,390 --> 00:03:16,150
in the investigative case, right? So,

68
00:03:16,150 --> 00:03:20,010
also practitioners must
constantly be aware

69
00:03:20,010 --> 00:03:23,030
and comply with regulations

70
00:03:23,030 --> 00:03:25,020
and laws during the case examination

71
00:03:25,020 --> 00:03:27,450
and also the evidence
presentation as well.

72
00:03:27,450 --> 00:03:29,060
Right? So, now it is important to know

73
00:03:29,060 --> 00:03:31,910
that the factors that maybe detrimental

74
00:03:31,910 --> 00:03:33,623
to the disclosure of evidence,

75
00:03:34,650 --> 00:03:37,750
that will actually challenge
the validity of that evidence,

76
00:03:37,750 --> 00:03:39,760
Right? So, if anything actually change

77
00:03:39,760 --> 00:03:42,700
in the evidence per se, I mean of course,

78
00:03:42,700 --> 00:03:45,980
it may not be able to actually
be presented in court.

79
00:03:45,980 --> 00:03:49,090
Now, digital forensics
evidence is information

80
00:03:49,090 --> 00:03:52,320
in digital form found in a huge range

81
00:03:52,320 --> 00:03:55,290
of endpoint server and
network devices, right.

82
00:03:55,290 --> 00:03:58,110
And basically, digital evidence is

83
00:03:58,110 --> 00:03:59,870
any information that can be processed

84
00:03:59,870 --> 00:04:01,210
by a computing device

85
00:04:01,210 --> 00:04:03,733
or store in any media, right?

86
00:04:03,733 --> 00:04:04,900
A digital media.

87
00:04:04,900 --> 00:04:09,811
So, evidence tender in
legal cases includes

88
00:04:09,811 --> 00:04:13,460
things like criminal trials
like we mentioned before,

89
00:04:13,460 --> 00:04:16,270
or, you know, cyber attacks or a breach.

90
00:04:16,270 --> 00:04:19,180
All these evidence is actually classified

91
00:04:19,180 --> 00:04:23,040
as witness testimony or direct evidence.

92
00:04:23,040 --> 00:04:25,410
There's also another
category of indirect evidence

93
00:04:25,410 --> 00:04:29,380
in the forms of an object,
such as a physical document

94
00:04:29,380 --> 00:04:33,210
the property owned by persons
and you know, so on, so forth.

95
00:04:33,210 --> 00:04:35,690
Cyber security forensics
evidence can take many forms

96
00:04:35,690 --> 00:04:38,580
depending on the conditions of each case

97
00:04:38,580 --> 00:04:41,530
and the devices from where that evidence

98
00:04:41,530 --> 00:04:43,190
was actually collected.

99
00:04:43,190 --> 00:04:46,480
There are 3 general types
of evidence, right? So.

100
00:04:46,480 --> 00:04:48,400
The first one is best evidence.

101
00:04:48,400 --> 00:04:51,060
The second one is corroborating evidence

102
00:04:51,060 --> 00:04:54,970
and the third one is indirect
or circumstantial evidence.

103
00:04:54,970 --> 00:04:59,130
Right? So, historically,
the term best evidence

104
00:04:59,130 --> 00:05:01,430
refers to the evidence
that can be presented

105
00:05:01,430 --> 00:05:02,480
in a court of law...

106
00:05:02,480 --> 00:05:05,530
in a court of law, in the original form.

107
00:05:05,530 --> 00:05:10,380
However, of course in cyber
forensics, data photography

108
00:05:10,380 --> 00:05:12,310
and things like copy machines,

109
00:05:12,310 --> 00:05:14,940
computer storage, cloud storage,

110
00:05:14,940 --> 00:05:18,210
you may ask "so what is actually
the original," right? So.

111
00:05:18,210 --> 00:05:20,900
Typically, properly
collected system images,

112
00:05:20,900 --> 00:05:23,710
you know, and appropriate copies of files

113
00:05:23,710 --> 00:05:26,260
can be used in court
in that case, right? So

114
00:05:26,260 --> 00:05:29,520
So again, that's one of the differences

115
00:05:29,520 --> 00:05:33,100
whenever we actually refer
to or historically refer to,

116
00:05:33,100 --> 00:05:34,900
to best evidence, right? So

117
00:05:34,900 --> 00:05:37,950
In this case, the original
form, can be of course

118
00:05:37,950 --> 00:05:42,300
a properly collected copy of
that original evidence, right?

119
00:05:42,300 --> 00:05:44,740
So, System image for example.

120
00:05:44,740 --> 00:05:47,590
Now corroborating
evidence or corroboration

121
00:05:47,590 --> 00:05:51,710
is evidence that tends to support a theory

122
00:05:51,710 --> 00:05:54,060
or an assumption deduced from

123
00:05:55,240 --> 00:05:57,560
some initial evidence, right? So,

124
00:05:57,560 --> 00:05:58,800
this corroborating evidence,

125
00:05:58,800 --> 00:06:01,960
it confirms the proposition in the law,

126
00:06:01,960 --> 00:06:03,800
in the court of a law, right? So.

127
00:06:03,800 --> 00:06:07,180
Now indirect or
circumstantial evidence relies

128
00:06:07,180 --> 00:06:11,850
on a extrapolation to
a conclusion of fact,

129
00:06:11,850 --> 00:06:15,190
that includes things like
a fingerprint, right? Or

130
00:06:15,190 --> 00:06:20,190
DNA evidence collected
from a subject, right?

131
00:06:20,300 --> 00:06:23,110
Now, this of course is
actually a lot different

132
00:06:23,110 --> 00:06:25,050
than direct evidence, right? So,

133
00:06:25,050 --> 00:06:26,540
direct evidence supports the truth

134
00:06:26,540 --> 00:06:29,660
of an proclamation without the need

135
00:06:29,660 --> 00:06:32,640
of additional evidence or
interpretation, right? So.

136
00:06:32,640 --> 00:06:36,000
Forensic evidence provided
by an expert witness

137
00:06:36,000 --> 00:06:39,140
is typically considered as
circumstantial evidence,

138
00:06:39,140 --> 00:06:42,080
Right? So, indirect or
circumstantial evidence

139
00:06:42,080 --> 00:06:44,590
is actually often used in a civil

140
00:06:44,590 --> 00:06:48,630
or criminal cases lacking of
direct evidence, right? So,

141
00:06:48,630 --> 00:06:51,370
if you don't have direct
evidence you may actually

142
00:06:51,370 --> 00:06:56,020
recur to indirect or
circumstantial evidence, right? So.

143
00:06:56,020 --> 00:06:57,430
Digital information stored

144
00:06:57,430 --> 00:07:01,340
in electronic database in audit logs

145
00:07:01,340 --> 00:07:03,780
That are of course, computer generated.

146
00:07:03,780 --> 00:07:07,030
And that does not contain
information generated by humans

147
00:07:08,440 --> 00:07:10,890
has been challenged in the past, right?

148
00:07:10,890 --> 00:07:13,960
In some court trials, right? So,

149
00:07:13,960 --> 00:07:17,360
law enforcement and courts
can also demand proof

150
00:07:17,360 --> 00:07:20,780
that the creation and also the storage

151
00:07:20,780 --> 00:07:22,460
of evidence records are actually part

152
00:07:22,460 --> 00:07:24,940
of the organization's business activities.

153
00:07:24,940 --> 00:07:27,330
Right? So, that is
actually very important.

154
00:07:27,330 --> 00:07:29,250
And throughout this course

155
00:07:29,250 --> 00:07:32,830
you will learn how to
handle detailed evidence

156
00:07:32,830 --> 00:07:36,460
which is actually really
important that you preserve

157
00:07:36,460 --> 00:07:39,853
the evidence to be
valid in a court of law.