1 00:00:06,450 --> 00:00:08,340 - [Instructor] If you are an administrator 2 00:00:08,340 --> 00:00:11,440 or manage information systems and networks, 3 00:00:11,440 --> 00:00:14,350 you should definitely understand cyber forensics. 4 00:00:14,350 --> 00:00:18,230 So, forensics is the process of using scientific knowledge 5 00:00:18,230 --> 00:00:22,190 for collecting, analyzing and presenting evidence 6 00:00:22,190 --> 00:00:26,450 and specifically, in some cases, even to the court. 7 00:00:26,450 --> 00:00:27,890 Or in court. 8 00:00:27,890 --> 00:00:31,150 The word forensics means to actually bring to the court. 9 00:00:31,150 --> 00:00:35,820 So, forensics deals primarily with the recovery and analysis 10 00:00:35,820 --> 00:00:37,660 of latent evidence. 11 00:00:37,660 --> 00:00:40,680 So, latent evidence, it can take many forms. 12 00:00:40,680 --> 00:00:43,450 So from fingerprints left on a window 13 00:00:43,450 --> 00:00:46,600 to DNA evidence recorded from blood stains 14 00:00:46,600 --> 00:00:48,790 to files on a hard drive. 15 00:00:48,790 --> 00:00:50,983 So in the world of cyber forensics, 16 00:00:51,870 --> 00:00:53,650 this is actually more related 17 00:00:53,650 --> 00:00:57,270 to what type of information can you collect 18 00:00:57,270 --> 00:01:00,230 from the network and the devices to one, 19 00:01:00,230 --> 00:01:05,230 understand how a breach or an attack actually took place, 20 00:01:05,480 --> 00:01:08,500 how the attacker compromise the systems 21 00:01:08,500 --> 00:01:13,130 and subsequently, potentially, through attribution 22 00:01:13,130 --> 00:01:14,533 on who the attacker was. 23 00:01:15,520 --> 00:01:18,860 Cyber forensics is often referred to as computer forensics. 24 00:01:18,860 --> 00:01:20,570 On the other hand, cyber forensics is actually 25 00:01:20,570 --> 00:01:24,660 a more appropriate term than computer forensics. 26 00:01:24,660 --> 00:01:28,620 Now, the two primary objectives in cyber forensics 27 00:01:28,620 --> 00:01:32,290 are to find out what happened and to collect data 28 00:01:32,290 --> 00:01:35,430 in a manner that is acceptable in a court, 29 00:01:35,430 --> 00:01:38,150 so into a court of law. 30 00:01:38,150 --> 00:01:40,240 Any device that can store data 31 00:01:40,240 --> 00:01:42,530 is potentially the object of cyber forensics, 32 00:01:42,530 --> 00:01:46,910 including things like computers, servers, 33 00:01:46,910 --> 00:01:49,560 desktop machines, laptops, 34 00:01:49,560 --> 00:01:52,350 tablet, smartphones, 35 00:01:52,350 --> 00:01:54,150 network infrastructure devices like routers, 36 00:01:54,150 --> 00:01:57,650 switches, firewalls, intrusion prevention systems, 37 00:01:57,650 --> 00:02:01,780 any other type of logs from those devices, 38 00:02:01,780 --> 00:02:04,680 network management systems, printers 39 00:02:04,680 --> 00:02:06,840 and even vehicles' GPSs. 40 00:02:06,840 --> 00:02:11,020 So, chain of custody is actually an important term 41 00:02:11,020 --> 00:02:13,310 in cyber forensics. 42 00:02:13,310 --> 00:02:17,440 So, and it's extremely critical to forensics investigations. 43 00:02:17,440 --> 00:02:20,600 Now, chain of custody is the way 44 00:02:20,600 --> 00:02:23,450 that you document and preserve evidence 45 00:02:23,450 --> 00:02:24,790 for the time that you actually started 46 00:02:24,790 --> 00:02:26,850 the cyber forensics investigation 47 00:02:26,850 --> 00:02:31,026 to the time the evidence is actually presented at a court. 48 00:02:31,026 --> 00:02:33,380 And it is extremely important 49 00:02:33,380 --> 00:02:36,600 to be able to show clear documentation of things 50 00:02:36,600 --> 00:02:40,910 like how the evidence was collected, when it was collected, 51 00:02:40,910 --> 00:02:43,580 how it was actually transported, 52 00:02:43,580 --> 00:02:47,640 how it was actually tracked throughout the investigation 53 00:02:47,640 --> 00:02:49,970 and how it was stored. 54 00:02:49,970 --> 00:02:54,950 Also, log and document how and who 55 00:02:54,950 --> 00:02:58,420 had access to the evidence and how it was actually accessed. 56 00:02:58,420 --> 00:03:00,690 So it is actually really important to know 57 00:03:00,690 --> 00:03:03,720 that if you fail to maintain proper chain of custody 58 00:03:03,720 --> 00:03:06,840 it's likely that you cannot use that evidence in court. 59 00:03:06,840 --> 00:03:09,520 It is also important to know how to dispose 60 00:03:09,520 --> 00:03:11,520 evidence after an investigation. 61 00:03:11,520 --> 00:03:13,290 So, when you collect evidence 62 00:03:13,290 --> 00:03:16,110 you must protect its integrity. 63 00:03:16,110 --> 00:03:18,820 This involves making sure that nothing 64 00:03:18,820 --> 00:03:20,570 is added to the evidence 65 00:03:20,570 --> 00:03:23,520 and that nothing is actually deleted or destroyed. 66 00:03:23,520 --> 00:03:26,170 And this is actually also referred to 67 00:03:26,170 --> 00:03:28,610 as evidence preservation. 68 00:03:28,610 --> 00:03:33,007 So, a method actually often used for evidence preservation 69 00:03:33,007 --> 00:03:37,390 is to only work from a copy, not the original, 70 00:03:37,390 --> 00:03:39,440 but from a copy of the evidence. 71 00:03:39,440 --> 00:03:40,610 So in other words, 72 00:03:40,610 --> 00:03:44,620 do not directly work with the evidence itself. 73 00:03:44,620 --> 00:03:46,640 This involves creating an image 74 00:03:46,640 --> 00:03:49,620 of any hard drive or any storage device. 75 00:03:49,620 --> 00:03:52,690 So, there's several forensic tools out there, 76 00:03:52,690 --> 00:03:57,131 so I'm including here, the two most popular ones. 77 00:03:57,131 --> 00:04:00,370 The first one is actually Guidance Software EnCase. 78 00:04:00,370 --> 00:04:02,580 And I'm also including a link where you can get 79 00:04:02,580 --> 00:04:04,310 more information about that software, 80 00:04:04,310 --> 00:04:07,423 and AccessData, Forensic Toolkit. 81 00:04:08,300 --> 00:04:10,560 Also, including a link here for your reference. 82 00:04:10,560 --> 00:04:13,820 Another methodology used in evidence preservation 83 00:04:13,820 --> 00:04:17,100 is to use write-protected storage devices. 84 00:04:17,100 --> 00:04:18,065 In other words that the storage device 85 00:04:18,065 --> 00:04:21,070 that you're actually investigating 86 00:04:21,070 --> 00:04:26,070 should immediately be write-protected before it is imaged. 87 00:04:27,030 --> 00:04:30,020 And it should be actually labeled to include 88 00:04:30,020 --> 00:04:32,410 many things like the investigator's name, 89 00:04:32,410 --> 00:04:35,320 the date, when the image was actually created 90 00:04:35,320 --> 00:04:37,880 and even if applicable, a case number 91 00:04:37,880 --> 00:04:40,011 or some type of tracking number. 92 00:04:40,011 --> 00:04:44,650 Also, you must prevent that electronic static, right 93 00:04:44,650 --> 00:04:47,483 or other discharge damages or erases 94 00:04:47,483 --> 00:04:50,590 that data that you're actually preserving. 95 00:04:50,590 --> 00:04:54,910 You can use evidence bags that are antistatic, 96 00:04:54,910 --> 00:04:59,270 you should also use to store those type of bags 97 00:04:59,270 --> 00:05:01,644 for storing any type of digital devices, 98 00:05:01,644 --> 00:05:06,550 any type of things like motherboards or SSDs, 99 00:05:06,550 --> 00:05:09,790 any type of information or devices' hardware 100 00:05:09,790 --> 00:05:11,070 that you're actually collecting. 101 00:05:11,070 --> 00:05:12,250 So it is very important 102 00:05:12,250 --> 00:05:15,620 that you prevent electrostatic discharge or ESD 103 00:05:15,620 --> 00:05:20,010 and other type of discharges for damaging that evidence. 104 00:05:20,010 --> 00:05:22,320 So some organizations even have 105 00:05:22,320 --> 00:05:24,590 cyber security forensics labs. 106 00:05:24,590 --> 00:05:29,590 So, and they're very controlled access environment that are 107 00:05:29,700 --> 00:05:31,110 you know, that are controlled 108 00:05:31,110 --> 00:05:34,220 to authorized users and investigators only. 109 00:05:34,220 --> 00:05:36,570 So a method that is actually often 110 00:05:36,570 --> 00:05:41,110 used is constructing what we call a faraday cage, 111 00:05:41,110 --> 00:05:43,920 and this is actually a cage that is often built 112 00:05:43,920 --> 00:05:46,480 out of a mesh of conducting metal 113 00:05:46,480 --> 00:05:49,430 that prevents electro-magnetic energy 114 00:05:49,430 --> 00:05:54,430 from entering into the the area or escaping from that cage. 115 00:05:55,360 --> 00:05:59,020 So it also prevents devices from communicating 116 00:05:59,020 --> 00:06:02,880 via things like wifi or cellular signals and so on. 117 00:06:02,880 --> 00:06:05,780 So you don't want for any device to actually be 118 00:06:05,780 --> 00:06:10,320 either communicating out via wireless mechanisms. 119 00:06:12,550 --> 00:06:16,930 Now, how you transport the evidence to the forensics labs 120 00:06:16,930 --> 00:06:19,820 and any other place, including the courthouse, 121 00:06:19,820 --> 00:06:22,080 has to be done in a very careful way. 122 00:06:22,080 --> 00:06:24,230 So it is critical that the chain of custody 123 00:06:25,100 --> 00:06:28,100 must be maintained during this transportation. 124 00:06:28,100 --> 00:06:30,210 And whenever you transport the evidence, 125 00:06:30,210 --> 00:06:34,940 it's best if you can secure store that evidence 126 00:06:34,940 --> 00:06:36,543 in a lockable container. 127 00:06:37,430 --> 00:06:39,420 So, some type of container, briefcase, 128 00:06:39,420 --> 00:06:42,810 or something that is actually lockable or that has a lock. 129 00:06:42,810 --> 00:06:44,720 It is actually recommended. 130 00:06:44,720 --> 00:06:47,700 So it is also recommended that a responsible person 131 00:06:47,700 --> 00:06:51,350 stays with the evidence at all times during transportation 132 00:06:51,350 --> 00:06:53,350 and during the handling of the evidence.