1
00:00:06,850 --> 00:00:08,973
- [Narrator] Cyber security forensics,

2
00:00:10,060 --> 00:00:13,630
and specifically the art
of collecting evidence

3
00:00:13,630 --> 00:00:15,440
can take many different forms

4
00:00:15,440 --> 00:00:18,640
depending on the conditions of each case

5
00:00:18,640 --> 00:00:20,760
and also the devices
from where you actually

6
00:00:20,760 --> 00:00:22,540
are collecting that evidence, right?

7
00:00:22,540 --> 00:00:25,740
Now, to prevent or
minimize the contamination

8
00:00:25,740 --> 00:00:29,470
of the actual source and that evidence,

9
00:00:29,470 --> 00:00:30,991
you can use different tools

10
00:00:30,991 --> 00:00:34,950
that includes things
like a piece of hardware

11
00:00:34,950 --> 00:00:36,610
called a write blocker, right?

12
00:00:36,610 --> 00:00:37,773
And a specific device.

13
00:00:39,146 --> 00:00:40,110
So you can actually copy all the data

14
00:00:40,110 --> 00:00:43,570
or collect an image of the system, right?

15
00:00:43,570 --> 00:00:45,960
And that's actually extremely important

16
00:00:45,960 --> 00:00:50,200
that you preserve evidence
in a correct way, right?

17
00:00:50,200 --> 00:00:51,540
Now, the imaging process

18
00:00:51,540 --> 00:00:54,410
is actually intended to
copy all blocks of data

19
00:00:54,410 --> 00:00:56,120
from the computing device

20
00:00:56,120 --> 00:00:59,070
to the forensics professional
evidentiary system, right?

21
00:00:59,070 --> 00:01:02,420
So this is sometimes referred
to as a physical copy

22
00:01:02,420 --> 00:01:05,060
of all data as a distinct

23
00:01:05,060 --> 00:01:08,040
from a local or logical copy, rather,

24
00:01:08,040 --> 00:01:10,303
which is only copying

25
00:01:10,303 --> 00:01:13,130
what the user will actually
normally see, right?

26
00:01:13,130 --> 00:01:17,350
So now logical copies
do not capture all data

27
00:01:17,350 --> 00:01:20,350
and the process will actually
alter some of the metadata

28
00:01:20,350 --> 00:01:24,240
to the extent that the
forensics value of that data

29
00:01:24,240 --> 00:01:26,650
is actually greatly diminished, right?

30
00:01:26,650 --> 00:01:29,150
Now, that results in
possible legal challenges

31
00:01:29,150 --> 00:01:31,200
by the opposing legal team

32
00:01:31,200 --> 00:01:34,030
in the case that you're actually in court.

33
00:01:34,030 --> 00:01:37,824
Now, that's why a full bit forbid copy

34
00:01:37,824 --> 00:01:40,930
is the preferred forensics process, right?

35
00:01:40,930 --> 00:01:43,070
The file created on the target device

36
00:01:43,070 --> 00:01:45,820
is actually called a forensics image

37
00:01:45,820 --> 00:01:47,754
or forensics image file.

38
00:01:47,754 --> 00:01:52,350
These are some of the
most common file types

39
00:01:52,350 --> 00:01:56,150
for forensics images for your reference.

40
00:01:56,150 --> 00:02:00,263
They include like things
like .AFF, .ASB, EO1, dd

41
00:02:02,290 --> 00:02:05,564
or raw image files, and
also virtual images formats

42
00:02:05,564 --> 00:02:10,564
such as a VMDK or VDI in
the case of VMs, right?

43
00:02:10,950 --> 00:02:13,387
Now, the benefit of actually being able

44
00:02:13,387 --> 00:02:16,760
to actually create an
exact copy of the data

45
00:02:16,760 --> 00:02:20,330
is that you can actually copy that data

46
00:02:20,330 --> 00:02:24,270
and then the original device
can be returned to the owner

47
00:02:24,270 --> 00:02:26,830
or actually store for a trial

48
00:02:26,830 --> 00:02:29,425
without normally having
to actually be an examined

49
00:02:29,425 --> 00:02:30,660
repeatedly, right?

50
00:02:30,660 --> 00:02:32,930
So you actually work from that copy.

51
00:02:32,930 --> 00:02:34,700
This also reduces the likelihood

52
00:02:34,700 --> 00:02:38,526
of the drive to actually
fail, for drive failures,

53
00:02:38,526 --> 00:02:41,184
or evidence contamination, right?

54
00:02:41,184 --> 00:02:43,697
Now, SANS has a good resource

55
00:02:43,697 --> 00:02:47,740
that goes over disc imaging
tools in cyber forensics.

56
00:02:47,740 --> 00:02:51,330
And I'm actually including the
link here for your reference.

57
00:02:51,330 --> 00:02:54,385
So, I invite you to actually
read that white paper

58
00:02:54,385 --> 00:02:58,810
that goes over how disc imaging works

59
00:02:58,810 --> 00:03:02,470
and also the different disc
imaging tools available

60
00:03:02,470 --> 00:03:03,660
in the market.

61
00:03:03,660 --> 00:03:06,620
Now in short, imaging or disc imaging

62
00:03:06,620 --> 00:03:10,287
is actually the process of
making a forensically sound copy

63
00:03:10,287 --> 00:03:13,250
to media that can retain the data

64
00:03:13,250 --> 00:03:15,330
for extended amount of time, right?

65
00:03:15,330 --> 00:03:18,110
One of the things to be careful about this

66
00:03:18,110 --> 00:03:21,750
is actually to make sure
that the entire image

67
00:03:21,750 --> 00:03:25,370
or the entire disc it is actually taken

68
00:03:25,370 --> 00:03:27,670
and that the disc imaging do not alter

69
00:03:27,670 --> 00:03:29,265
the layout of the copy

70
00:03:29,265 --> 00:03:33,215
or even omit free or deleted space, right?

71
00:03:33,215 --> 00:03:34,522
That's important.

72
00:03:34,522 --> 00:03:37,300
And you actually learn
some of these concepts

73
00:03:37,300 --> 00:03:40,465
earlier in this course.

74
00:03:40,465 --> 00:03:43,780
Now, it is very important to
have a forensically sound copy

75
00:03:43,780 --> 00:03:45,260
of the original evidence

76
00:03:45,260 --> 00:03:47,900
and that you only work
from that copy, right?

77
00:03:47,900 --> 00:03:48,910
And that's actually, of course,

78
00:03:48,910 --> 00:03:52,654
to avoid making changes or
altering the original image.

79
00:03:52,654 --> 00:03:53,979
Now, in addition,

80
00:03:53,979 --> 00:03:58,191
you should also use appropriate media

81
00:03:58,191 --> 00:04:01,510
to avoid any alteration or
contamination of the evidence,

82
00:04:01,510 --> 00:04:02,343
right?

83
00:04:02,343 --> 00:04:06,094
So, the original copy should
be placed in a secure storage

84
00:04:06,094 --> 00:04:08,369
or a secure safe.

85
00:04:08,369 --> 00:04:11,580
There's also the process of file deletion

86
00:04:11,580 --> 00:04:14,690
and also it's degradation

87
00:04:14,690 --> 00:04:17,220
and eventually erase your,

88
00:04:17,220 --> 00:04:18,640
through the system operation, right?

89
00:04:18,640 --> 00:04:19,870
So these results

90
00:04:19,870 --> 00:04:22,270
in many files being
actually partly being stored

91
00:04:24,160 --> 00:04:27,830
in the unallocated area
of a system hard drive.

92
00:04:27,830 --> 00:04:28,940
And typically,

93
00:04:28,940 --> 00:04:33,650
such fragments of files can
actually only be allocated

94
00:04:33,650 --> 00:04:35,920
or carved out manually.

95
00:04:35,920 --> 00:04:39,540
And typically, it's
actually using a hex editor

96
00:04:39,540 --> 00:04:43,741
to be able to identify the
specific file headers, right?

97
00:04:43,741 --> 00:04:46,150
Not only the file headers,

98
00:04:46,150 --> 00:04:50,127
but also the footers and the
segments held in the image.

99
00:04:50,127 --> 00:04:52,300
And this is because the file system

100
00:04:52,300 --> 00:04:55,741
allocation information is
actually not typically available

101
00:04:55,741 --> 00:04:58,544
and results in a very labor intensive

102
00:04:58,544 --> 00:05:01,240
and is a challenging operation

103
00:05:01,240 --> 00:05:03,153
for the forensics professional.

104
00:05:03,153 --> 00:05:07,983
Now, file carving a continues
to be an important process

105
00:05:07,983 --> 00:05:12,983
using many cases where the
recovery of the alleged,

106
00:05:13,152 --> 00:05:17,410
deleted files is actually required, right?

107
00:05:17,410 --> 00:05:20,330
So now there are different forensic tools

108
00:05:20,330 --> 00:05:24,970
such as iLook IX, Encase and many others

109
00:05:24,970 --> 00:05:28,660
that provides features that
allows you to locate blocks

110
00:05:28,660 --> 00:05:31,360
and sectors of hard drives

111
00:05:31,360 --> 00:05:34,600
that actually can contain
deleted important information,

112
00:05:34,600 --> 00:05:35,433
right?

113
00:05:35,433 --> 00:05:38,610
So recovering files from unallocated space

114
00:05:38,610 --> 00:05:42,276
is actually usually
referred to as data carving.

115
00:05:42,276 --> 00:05:45,220
It is very important to make sure

116
00:05:45,220 --> 00:05:49,587
that the timestamps of all files
on a system being analyzed,

117
00:05:49,587 --> 00:05:52,915
of course, during the cyber
forensic investigation

118
00:05:52,915 --> 00:05:55,125
are actually reliable, right?

119
00:05:55,125 --> 00:05:58,570
And this is because it is critical

120
00:05:58,570 --> 00:06:02,707
for making a valid
reconstruction of key events

121
00:06:02,707 --> 00:06:06,931
of that security incident
or that specific attack.

122
00:06:06,931 --> 00:06:09,890
Now, collecting evidence
for mobile devices

123
00:06:09,890 --> 00:06:12,010
is another thing that you
actually have to worry about,

124
00:06:12,010 --> 00:06:13,316
right?

125
00:06:13,316 --> 00:06:17,122
So mobile devices such as cell
phones, wearables, tablets,

126
00:06:17,122 --> 00:06:20,960
are not imaged in the
same way as desktops.

127
00:06:20,960 --> 00:06:24,477
Today's internet of
things or IOT landscape,

128
00:06:26,470 --> 00:06:29,890
it is very different than from
just a few years ago, right?

129
00:06:29,890 --> 00:06:33,950
So now you actually have to
worry about collecting evidence

130
00:06:33,950 --> 00:06:36,755
from low power and low resource devices,

131
00:06:36,755 --> 00:06:40,774
including not only mobile
devices, but also sensors,

132
00:06:40,774 --> 00:06:44,210
fog edge devices, and many others, right?

133
00:06:44,210 --> 00:06:47,331
So now even your
refrigerator, your thermostat,

134
00:06:47,331 --> 00:06:50,700
different sensors around the house

135
00:06:50,700 --> 00:06:54,250
or a manufacturing utility or a farm,

136
00:06:54,250 --> 00:06:55,350
list goes on and on.

137
00:06:55,350 --> 00:06:56,650
The world of IOT

138
00:06:56,650 --> 00:06:59,780
this actually is becoming
a lot more complicated.

139
00:06:59,780 --> 00:07:03,430
Now, the hardware and the
interfaces of these devices

140
00:07:03,430 --> 00:07:08,210
from a forensics perspective
are very different, right?

141
00:07:08,210 --> 00:07:10,500
So for example, an
iPhone cannot be accessed

142
00:07:10,500 --> 00:07:13,730
unless you actually know
the manufacturing password

143
00:07:13,730 --> 00:07:14,563
from Apple.

144
00:07:14,563 --> 00:07:16,920
And of course, there
has been many dilemmas

145
00:07:16,920 --> 00:07:20,540
and things in the news that
you actually have heard before,

146
00:07:20,540 --> 00:07:21,540
right?

147
00:07:21,540 --> 00:07:22,870
This is because of course,

148
00:07:22,870 --> 00:07:25,790
Apple uses a series of encrypted sectors

149
00:07:25,790 --> 00:07:27,490
located in microchips

150
00:07:27,490 --> 00:07:32,070
making it actually difficult
to access specific raw data

151
00:07:32,070 --> 00:07:35,570
inside the actual phones and tablets

152
00:07:35,570 --> 00:07:38,090
and mobile devices that they produce.

153
00:07:38,090 --> 00:07:40,211
Now also newer Android versions

154
00:07:40,211 --> 00:07:45,211
also prevent more than backup
being taken from a device

155
00:07:46,180 --> 00:07:49,320
and no longer allow physical
dumps to actually be recovered,

156
00:07:49,320 --> 00:07:50,467
right?

157
00:07:50,467 --> 00:07:52,130
So that's another challenge in some cases

158
00:07:52,130 --> 00:07:56,544
in cyber security investigations
and cyber forensics.

159
00:07:56,544 --> 00:07:58,430
Now also in some cases,

160
00:07:58,430 --> 00:08:03,110
not only is needed to collect
evidence from mobile devices,

161
00:08:03,110 --> 00:08:06,480
but also from mobile device
management applications

162
00:08:06,480 --> 00:08:08,306
or MDM solutions, right?

163
00:08:08,306 --> 00:08:10,946
So that's something to
actually keep in mind.

164
00:08:10,946 --> 00:08:13,040
Another thing is actually
collecting evidence

165
00:08:13,040 --> 00:08:15,330
from networking
infrastructure devices, right?

166
00:08:15,330 --> 00:08:17,660
You can collect a lot of information

167
00:08:17,660 --> 00:08:19,100
from network infrastructure devices

168
00:08:19,100 --> 00:08:21,520
such as routers, switches,

169
00:08:21,520 --> 00:08:26,120
wireless line controllers,
load balancers, firewalls,

170
00:08:26,120 --> 00:08:29,990
and many other devices
that can be very beneficial

171
00:08:29,990 --> 00:08:32,830
for cyber security forensics
investigation, right?

172
00:08:32,830 --> 00:08:36,260
So, collecting all this data
can be easier said than done,

173
00:08:36,260 --> 00:08:37,320
of course, right?

174
00:08:37,320 --> 00:08:39,630
This is why it is extremely important

175
00:08:39,630 --> 00:08:42,413
to have one or more systems

176
00:08:42,413 --> 00:08:47,413
as a central log repository strategy

177
00:08:47,790 --> 00:08:49,850
and to configure all
your networking devices

178
00:08:49,850 --> 00:08:51,300
to actually forward events

179
00:08:51,300 --> 00:08:54,256
to these central log
analysis tools, right?

180
00:08:54,256 --> 00:08:57,900
You should also make sure that it can hold

181
00:08:57,900 --> 00:09:00,540
several months worth of events, right?

182
00:09:00,540 --> 00:09:05,020
So, as you actually learn
during your preparation

183
00:09:05,020 --> 00:09:08,070
for the previous exam the sec fund exam,

184
00:09:08,070 --> 00:09:11,631
Syslog is actually
often used to centralize

185
00:09:11,631 --> 00:09:15,680
the collection of logs

186
00:09:15,680 --> 00:09:20,680
and of course, to store that
in centralized systems, right?

187
00:09:21,820 --> 00:09:24,492
And now you should also
increase the type of events

188
00:09:24,492 --> 00:09:26,860
that are logged in your environment,

189
00:09:26,860 --> 00:09:31,860
for example, DHCP events, and
NetFlow, network metadata,

190
00:09:32,070 --> 00:09:34,403
VPN logs, and so on.

191
00:09:35,320 --> 00:09:37,480
Now, another important
thing to keep in mind

192
00:09:37,480 --> 00:09:40,930
is that network devices can
also be compromised, right?

193
00:09:40,930 --> 00:09:44,490
And subsequently the data
generated by these devices

194
00:09:44,490 --> 00:09:47,000
can also be assumed to be compromised

195
00:09:47,000 --> 00:09:48,980
and manipulated by the attacker.

196
00:09:48,980 --> 00:09:52,635
So, finding forensic
evidence for these incidents

197
00:09:52,635 --> 00:09:57,354
can be a little bit more
troublesome and much harder

198
00:09:57,354 --> 00:09:59,227
than what we think, right?

199
00:09:59,227 --> 00:10:04,227
So, for example, a device
actually can be compromised

200
00:10:04,470 --> 00:10:07,340
to the fact that can be manipulated to,

201
00:10:07,340 --> 00:10:09,670
let's say, perform network
address translation.

202
00:10:09,670 --> 00:10:11,208
But whenever you do a show run

203
00:10:11,208 --> 00:10:14,010
or you show the
configuration on the device

204
00:10:14,010 --> 00:10:17,820
or show statistics of network
address translation or net,

205
00:10:17,820 --> 00:10:18,750
you don't see anything

206
00:10:18,750 --> 00:10:22,330
because the attacker may
have manipulated the system

207
00:10:22,330 --> 00:10:23,739
that actually suppresses

208
00:10:23,739 --> 00:10:26,440
not only the configuration parameters

209
00:10:26,440 --> 00:10:28,920
but also the logs that are generated

210
00:10:28,920 --> 00:10:32,220
that are relevant to
that specific feature,

211
00:10:32,220 --> 00:10:34,000
in this case net, right?

212
00:10:34,000 --> 00:10:34,833
Now,

213
00:10:34,833 --> 00:10:36,810
network infrastructure devices
actually can be compromised

214
00:10:36,810 --> 00:10:38,203
by different attack methods,

215
00:10:38,203 --> 00:10:41,580
including of course, leftover
troubleshooting commands

216
00:10:41,580 --> 00:10:44,318
that the administrator
actually may leaving there

217
00:10:44,318 --> 00:10:47,902
or in the case of Cisco tech,

218
00:10:47,902 --> 00:10:50,668
perhaps actually helping
you in troubleshooting,

219
00:10:50,668 --> 00:10:54,598
also manipulating Cisco IOS images, right?

220
00:10:54,598 --> 00:10:58,770
Now modern technologies
like Secure Boot of course,

221
00:10:58,770 --> 00:11:00,070
prevents this.

222
00:11:00,070 --> 00:11:01,510
But in the case of legacy devices,

223
00:11:01,510 --> 00:11:04,090
actually we saw that in many cases

224
00:11:04,090 --> 00:11:07,240
where the iOS images
actually were manipulating

225
00:11:07,240 --> 00:11:09,460
and being installing the devices,

226
00:11:09,460 --> 00:11:11,496
also security vulnerabilities, of course.

227
00:11:11,496 --> 00:11:14,750
Now, Cisco has several good resources

228
00:11:14,750 --> 00:11:17,500
that goes over device integrity assurance

229
00:11:17,500 --> 00:11:21,642
and also the verification
of those devices.

230
00:11:21,642 --> 00:11:24,630
And I'm including here tons of references,

231
00:11:24,630 --> 00:11:25,657
including things like

232
00:11:25,657 --> 00:11:28,670
the Ciscos Software Integrity Assurance,

233
00:11:28,670 --> 00:11:30,690
same thing for Cisco XE Fee,

234
00:11:30,690 --> 00:11:33,306
how to harden Cisco IOS devices,

235
00:11:33,306 --> 00:11:37,915
also how to perform image
verifications in Cisco IOS,

236
00:11:37,915 --> 00:11:42,915
how to also do offline analysis
of image integrity as well.

237
00:11:43,900 --> 00:11:45,280
And of course, as you seeing here,

238
00:11:45,280 --> 00:11:46,810
the list goes on and on.

239
00:11:46,810 --> 00:11:48,330
Now, these documents go over

240
00:11:48,330 --> 00:11:50,800
numerous identification techniques.

241
00:11:50,800 --> 00:11:53,561
That includes image file verification

242
00:11:53,561 --> 00:11:58,561
using MD5 and SHA256 using the
image verification features,

243
00:12:00,345 --> 00:12:04,540
not only in the device, but also offline,

244
00:12:04,540 --> 00:12:07,592
verifying authenticity of
digitally signed images,

245
00:12:07,592 --> 00:12:12,592
running iOS runtime memory
integrity verification

246
00:12:12,740 --> 00:12:14,122
using core dumps,

247
00:12:14,122 --> 00:12:16,640
also creating a known good text region

248
00:12:16,640 --> 00:12:19,440
part of those type of core dumps as well.

249
00:12:19,440 --> 00:12:23,146
And the text memory section
export and how to analyze that.

250
00:12:23,146 --> 00:12:28,146
And even checking for external
accounting logs, Syslogs,

251
00:12:28,640 --> 00:12:30,450
checking for boarding information,

252
00:12:30,450 --> 00:12:33,960
checking their Roman variables
and also Roman information

253
00:12:33,960 --> 00:12:34,793
because in the past,

254
00:12:34,793 --> 00:12:37,189
even the Roman has been
compromised, right?

255
00:12:37,189 --> 00:12:39,300
Now, there are several preventive steps

256
00:12:39,300 --> 00:12:40,200
that you can actually take

257
00:12:40,200 --> 00:12:43,114
to facilitate a forensics investigation

258
00:12:43,114 --> 00:12:44,800
of networking devices.

259
00:12:44,800 --> 00:12:47,670
And that actually includes
different best practices

260
00:12:47,670 --> 00:12:52,360
like maintaining the Cisco IOS
image file integrity, right?

261
00:12:52,360 --> 00:12:54,750
Also implementing change control,

262
00:12:54,750 --> 00:12:57,158
hardening the software distribution server

263
00:12:57,158 --> 00:12:58,360
that you actually use

264
00:12:58,360 --> 00:13:01,240
to distribute the image to the devices,

265
00:13:01,240 --> 00:13:03,880
keeping Cisco IOS software updated, right?

266
00:13:03,880 --> 00:13:08,210
And making sure that you follow
the Cisco PSIRT advisories,

267
00:13:08,210 --> 00:13:09,253
security advisories,

268
00:13:09,253 --> 00:13:12,059
and that you actually patch your devices,

269
00:13:12,059 --> 00:13:15,289
of course, checking for Secure Boot,

270
00:13:15,289 --> 00:13:17,657
Cisco supply chain security,

271
00:13:17,657 --> 00:13:21,979
leveraging the latest iOS
security protection features,

272
00:13:21,979 --> 00:13:24,904
using authentication,
authorization and accounting,

273
00:13:24,904 --> 00:13:27,291
implementing configuration controls,

274
00:13:27,291 --> 00:13:31,750
protecting the interactive
access to devices,

275
00:13:31,750 --> 00:13:33,970
gaining traffic visibility with NetFlow,

276
00:13:33,970 --> 00:13:37,040
and also using centralized
and comprehensive login

277
00:13:37,040 --> 00:13:38,050
as we mentioned before.

278
00:13:38,050 --> 00:13:40,840
So again, all this list is
actually for your reference

279
00:13:40,840 --> 00:13:43,513
and also included in the documents

280
00:13:43,513 --> 00:13:46,763
that I provided the links before.