1 00:00:06,620 --> 00:00:07,920 - [Instructor] One of the key topics 2 00:00:07,920 --> 00:00:12,020 in cybersecurity forensics is attribution of assets 3 00:00:12,020 --> 00:00:12,890 and threat actors. 4 00:00:12,890 --> 00:00:16,940 So again, not only attribution to who actually perform 5 00:00:16,940 --> 00:00:19,540 the security incident or the attack, 6 00:00:19,540 --> 00:00:22,360 but also what systems were involved, right? 7 00:00:22,360 --> 00:00:26,290 So then you can do further attribution to the threat actor. 8 00:00:26,290 --> 00:00:29,910 Now, there's definitely undeniable motivation 9 00:00:29,910 --> 00:00:32,350 to support an evidence-led approach 10 00:00:32,350 --> 00:00:36,100 to cybersecurity forensics to achieve good attribution. 11 00:00:36,100 --> 00:00:40,080 Now, a suspect-led approach is actually often biased 12 00:00:40,080 --> 00:00:43,100 to the disadvantage of those being investigated. 13 00:00:43,100 --> 00:00:44,500 And this is due to the large number 14 00:00:44,500 --> 00:00:48,110 of technical complexities, and it is often impractical 15 00:00:48,110 --> 00:00:50,730 for cybersecurity forensics experts 16 00:00:50,730 --> 00:00:55,730 to be able to determine fully the reliability of endpoints. 17 00:00:55,800 --> 00:00:58,470 Also the reliability of servers 18 00:00:58,470 --> 00:01:00,650 and networking infrastructure devices. 19 00:01:00,650 --> 00:01:04,050 And subsequently actually to provide assurance 20 00:01:04,050 --> 00:01:07,622 to the court or to the entity that is investigating 21 00:01:07,622 --> 00:01:10,400 the issue about the actual soundness 22 00:01:10,400 --> 00:01:12,870 of the processes involved 23 00:01:12,870 --> 00:01:16,710 and complete attribution to a threat actor, right? 24 00:01:16,710 --> 00:01:21,130 Now, the forensics expert needs to ensure that no parts 25 00:01:21,130 --> 00:01:25,180 of the examination process were overlooked or repetitive. 26 00:01:25,180 --> 00:01:29,640 Also cybersecurity forensic experts are often confronted 27 00:01:29,640 --> 00:01:34,520 with the inefficacy of traditional security processes 28 00:01:34,520 --> 00:01:38,200 in systems and networks designed to preserve documents 29 00:01:38,200 --> 00:01:40,210 and network functionality. 30 00:01:40,210 --> 00:01:43,320 Especially since most systems are not designed 31 00:01:43,320 --> 00:01:47,560 to enhance digital evidence recovery. 32 00:01:47,560 --> 00:01:48,393 Now, there's a need 33 00:01:48,393 --> 00:01:50,990 for appropriate cybersecurity forensics tools, 34 00:01:50,990 --> 00:01:53,970 including software imaging like we mentioned before, 35 00:01:53,970 --> 00:01:58,800 and also the indexing of the large data sets 36 00:01:58,800 --> 00:02:02,010 in order to successfully reconstruct an attack 37 00:02:02,010 --> 00:02:07,010 and attribute such attack to an asset or to a threat actor. 38 00:02:07,520 --> 00:02:09,940 Now, one thing to keep in mind is that traditional data 39 00:02:09,940 --> 00:02:13,740 forensics tools are typically designed to obtain 40 00:02:13,740 --> 00:02:15,510 the lowest hanging fruit 41 00:02:15,510 --> 00:02:17,970 and encourage security professionals to actually look 42 00:02:17,970 --> 00:02:22,210 for the evidence that is easier or the easiest evidence 43 00:02:22,210 --> 00:02:25,260 to be identified and to be recovered. 44 00:02:25,260 --> 00:02:27,310 Now, often these tools do not have the capabilities 45 00:02:27,310 --> 00:02:31,860 to even recognize other less obvious evidence, right? 46 00:02:31,860 --> 00:02:33,830 So that's the one of the considerations 47 00:02:33,830 --> 00:02:35,180 that you actually have to keep in mind 48 00:02:35,180 --> 00:02:39,763 when selecting a cyber forensics tool. 49 00:02:40,600 --> 00:02:42,650 Now during the cybersecurity investigation, 50 00:02:42,650 --> 00:02:47,140 the forensics expert may revisit portions of the evidence 51 00:02:47,140 --> 00:02:49,840 to actually determine its validity, right? 52 00:02:49,840 --> 00:02:53,810 Now, as a result, it may require additional investigations 53 00:02:53,810 --> 00:02:57,870 and further investigation within your environment. 54 00:02:57,870 --> 00:03:01,570 Now, this often can be a tedious process, right? 55 00:03:01,570 --> 00:03:03,740 And in some cases, the complexity of the network 56 00:03:03,740 --> 00:03:07,420 and the time required for the investigation 57 00:03:07,420 --> 00:03:11,530 can affect the efficacy of the cybersecurity forensics 58 00:03:11,530 --> 00:03:15,290 professional to actually reconstruct and also to provide 59 00:03:15,290 --> 00:03:19,000 an accurate interpretation of that evidence. 60 00:03:19,000 --> 00:03:24,000 Now, from a practical and a realistic perspective, 61 00:03:24,380 --> 00:03:27,070 the amount of time and effort involving 62 00:03:27,070 --> 00:03:29,900 digital forensic process should pass 63 00:03:29,900 --> 00:03:34,900 the acceptable, reasonable test. 64 00:03:34,960 --> 00:03:38,290 In other words, that all efforts should not be put 65 00:03:38,290 --> 00:03:42,210 into finding every single conceivable trace of evidence 66 00:03:42,210 --> 00:03:43,380 and analyzing it, right? 67 00:03:43,380 --> 00:03:45,670 I mean, you're never gonna be able to actually do that, 68 00:03:45,670 --> 00:03:47,780 and you will never be able to scale. 69 00:03:47,780 --> 00:03:50,970 And this is especially becoming more challenging 70 00:03:50,970 --> 00:03:54,730 to the cybersecurity forensics expert as the volume of data 71 00:03:54,730 --> 00:03:57,530 to be analyzed becomes extremely big, right? 72 00:03:57,530 --> 00:04:01,540 Nowadays with big data and big data analytics, 73 00:04:01,540 --> 00:04:03,900 this is actually a challenge. 74 00:04:03,900 --> 00:04:05,910 Now, evidence in cybersecurity investigations 75 00:04:05,910 --> 00:04:10,910 that go to court is used to prove or disprove facts 76 00:04:11,730 --> 00:04:14,510 that are in dispute. 77 00:04:14,510 --> 00:04:18,300 And of course, as well as approving the credibility 78 00:04:18,300 --> 00:04:20,230 of the disputed facts, right? 79 00:04:20,230 --> 00:04:24,000 So in particular circumstantial evidence 80 00:04:24,000 --> 00:04:27,250 or indirect evidence is one of the facts 81 00:04:28,315 --> 00:04:30,590 that comes into play, right? 82 00:04:30,590 --> 00:04:33,590 Now, digital forensics evidence provides implications 83 00:04:33,590 --> 00:04:35,970 and extrapolations that may assist 84 00:04:35,970 --> 00:04:39,400 in providing some key facts to that case, right? 85 00:04:39,400 --> 00:04:44,390 And that evidence helps the legal teams and the courts 86 00:04:44,390 --> 00:04:48,790 to develop reliable hypothesis or theories 87 00:04:48,790 --> 00:04:53,320 to the committer of the crime or the threat actor, right? 88 00:04:53,320 --> 00:04:58,260 Now, the reliability of the evidence is vital and is crucial 89 00:04:58,260 --> 00:05:03,260 to supporting or refuting any type of hypothesis put forward 90 00:05:04,260 --> 00:05:06,850 during the attribution of a threat actor, right? 91 00:05:06,850 --> 00:05:09,090 So these are really important things 92 00:05:09,090 --> 00:05:12,140 that I'm, of course, repeating through the course 93 00:05:12,140 --> 00:05:15,310 because are crucial for evidence collection, 94 00:05:15,310 --> 00:05:18,140 evidence preservation, and for you to be able 95 00:05:18,140 --> 00:05:22,160 to be successful in front of a court, right? 96 00:05:22,160 --> 00:05:23,360 And in front of a judge.