WEBVTT 1 00:00:00.080 --> 00:00:03.160 Welcome back everyone for another deep dive. This time we're 2 00:00:03.200 --> 00:00:07.000 putting on our digital detective hats and uh yeah, we're 3 00:00:07.040 --> 00:00:10.160 diving headfirst into the world of Linux forensics. 4 00:00:10.320 --> 00:00:12.640 Oh, Linux forensics, that's my jam. 5 00:00:12.800 --> 00:00:15.720 And to guide us on this thrilling adventure, we have 6 00:00:15.919 --> 00:00:19.559 doctor Philip Polster's book. Now, this isn't your typical dry 7 00:00:19.760 --> 00:00:20.719 technical manual. 8 00:00:20.839 --> 00:00:21.640 No, no, not at all. 9 00:00:21.640 --> 00:00:25.000 It's more like a gripping detective story. You know, even 10 00:00:25.000 --> 00:00:28.280 if you've never ever touched a command line, you'll feel 11 00:00:28.320 --> 00:00:30.640 like you're cracking a real life cybercrime case. 12 00:00:30.800 --> 00:00:33.039 He's got this way of making the technical stuff feel 13 00:00:33.079 --> 00:00:35.200 almost like cinematic. 14 00:00:35.359 --> 00:00:36.320 Oh. Absolutely. 15 00:00:36.399 --> 00:00:40.039 He walks you through this case right where a company 16 00:00:40.039 --> 00:00:42.679 they're called Phil's Awesome Stuff, they get slammed with a 17 00:00:42.719 --> 00:00:46.000 cyber attack. Their web server has been compromised, data's potentially stolen, 18 00:00:46.280 --> 00:00:47.200 the whole shebang. 19 00:00:47.479 --> 00:00:48.200 Oh man. 20 00:00:48.520 --> 00:00:51.600 He uses this story right to teach you the ropes 21 00:00:51.880 --> 00:00:53.119 of Linux forensics. 22 00:00:53.320 --> 00:00:56.320 I love that approach, learning through a story. So we're 23 00:00:56.320 --> 00:00:59.439 going to use this Phills Awesome stuffcase as our guide, 24 00:01:00.159 --> 00:01:03.439 and our mission, should we choose to accept it, is 25 00:01:03.479 --> 00:01:07.280 to equip you, dear listeners, with the knowledge tackle a 26 00:01:07.359 --> 00:01:09.120 digital investigation head on. 27 00:01:09.400 --> 00:01:11.879 That's right. And one of the first things you realize 28 00:01:11.879 --> 00:01:15.200 in these situations is that your gut instinct, well it 29 00:01:15.280 --> 00:01:17.959 might lead you astray. Oh really yeah, Like you see 30 00:01:17.959 --> 00:01:20.599 a compromise system, you want to shut it down immediately, right. 31 00:01:20.519 --> 00:01:22.239 Contain the damage seems logical. 32 00:01:22.319 --> 00:01:26.879 Yeah, yeah, exactly, contained the damage. But as Polster points out, 33 00:01:27.120 --> 00:01:28.799 that could actually be the worst move. 34 00:01:29.319 --> 00:01:32.159 No, I'm really intrigued. Why would leaving a compromise system 35 00:01:32.239 --> 00:01:35.239 running be like the right call? 36 00:01:35.400 --> 00:01:37.959 Well, think about it this way. If you had like 37 00:01:38.079 --> 00:01:40.879 a burglar in your house and they knew you were 38 00:01:40.879 --> 00:01:43.280 onto them, what would they do. 39 00:01:43.799 --> 00:01:46.280 They'd try to cover their tracks, get rid of any evidence. 40 00:01:46.359 --> 00:01:49.439 Exactly, same thing with malware. If it senses the system 41 00:01:49.480 --> 00:01:51.680 shutting down, it's like hitting the panic button. It might 42 00:01:51.680 --> 00:01:54.439 wipe its activity logs, delete those stolen files. 43 00:01:54.120 --> 00:01:57.719 So it basically disappears in the thin air poof gone wow. 44 00:01:58.280 --> 00:02:02.359 So it's this like aast time. But sometimes hitting the 45 00:02:02.400 --> 00:02:05.040 pause button actually helps the criminal, not. 46 00:02:05.159 --> 00:02:08.039 Us exactly, And this is just one example of how 47 00:02:08.080 --> 00:02:11.919 counterintuitive digital forensics can be. Polster also talks about this 48 00:02:11.960 --> 00:02:13.439 thing called confirmation bias. 49 00:02:13.639 --> 00:02:15.080 Confirmation bias, Yeah, it. 50 00:02:15.000 --> 00:02:17.319 Could trip up even the most seasoned investigators. 51 00:02:17.360 --> 00:02:20.960 Now, isn't confirmation bias, like when you're so convinced you're 52 00:02:21.000 --> 00:02:23.759 right that you just ignore any evidence that says otherwise. 53 00:02:23.879 --> 00:02:26.960 You got it? Polster uses this analogy. It's like a 54 00:02:27.000 --> 00:02:30.319 magician asks a child to guess which hand has the coin. 55 00:02:30.639 --> 00:02:32.199 Right, Okay, I'm following, and. 56 00:02:32.199 --> 00:02:35.840 The child keeps getting right, and the parents they're convinced, Oh, 57 00:02:35.879 --> 00:02:39.280 my kid's a mind reader. But the magician, sneaky magician, 58 00:02:39.719 --> 00:02:41.680 had coins in both hands all along. 59 00:02:41.800 --> 00:02:44.479 Oh wow, So the parents were so focused on proving 60 00:02:44.479 --> 00:02:47.360 their kid a special that they totally missed the obvious. 61 00:02:47.199 --> 00:02:50.280 Exactly, And investigators can fall into that same trap. They 62 00:02:50.280 --> 00:02:53.319 get fixated on one theory and then they only see 63 00:02:53.319 --> 00:02:56.439 the evidence that supports it. Yeah, we've got to turn 64 00:02:56.479 --> 00:02:59.280 a blind eye to other possibilities. 65 00:02:58.680 --> 00:03:00.759 Right, It's like having tunnel vision. So that's a good 66 00:03:00.759 --> 00:03:03.319 reminder for all of us, right to stay open minded, 67 00:03:03.479 --> 00:03:06.400 consider all the angles. Absolutely, But before we get ahead 68 00:03:06.400 --> 00:03:08.520 of ourselves, let's take a step back for those who 69 00:03:08.599 --> 00:03:11.199 are just starting out, Like, how would you define forensics, 70 00:03:11.719 --> 00:03:13.599 especially in this digital world? 71 00:03:13.879 --> 00:03:19.439 Okay, so forensic science at its core, it's about gathering 72 00:03:19.879 --> 00:03:23.199 evidence that could hold up in court, even if you 73 00:03:23.240 --> 00:03:25.680 never actually plan on going to court. Got it so 74 00:03:25.680 --> 00:03:31.400 about being meticulous, documenting everything, following procedures. 75 00:03:30.759 --> 00:03:33.319 Right, dotting your eyes, crossing your t's. 76 00:03:33.360 --> 00:03:36.560 Yeah, and ensuring that all your findings, everything you discover 77 00:03:37.199 --> 00:03:39.680 is credible and hasn't been tampered with. 78 00:03:39.919 --> 00:03:42.039 So it's not just about finding those clues, it's about 79 00:03:42.039 --> 00:03:44.319 doing it in a way that's like legit that can 80 00:03:44.360 --> 00:03:45.479 stand up to scrutiny. 81 00:03:45.639 --> 00:03:50.000 Exactly. In digital forensics, it's particularly tricky because digital evidence 82 00:03:50.560 --> 00:03:54.199 is so easy to change, delete, even fabricate. 83 00:03:54.319 --> 00:03:54.960 Oh that's right. 84 00:03:55.039 --> 00:03:57.800 It's like imagine trying to solve a crime scene, but 85 00:03:58.560 --> 00:04:01.199 the evidence can just vanish or morph into something else 86 00:04:01.240 --> 00:04:02.120 at any given moment. 87 00:04:02.360 --> 00:04:03.919 Oh wow, that's a great way to put it. So 88 00:04:04.120 --> 00:04:08.680 we're dealing with much more fragile evidence than say, fingerprints 89 00:04:08.800 --> 00:04:09.960 or I don't know, DNA. 90 00:04:10.199 --> 00:04:14.000 Right. But here's the interesting part digital evidence. It also 91 00:04:14.120 --> 00:04:17.199 leaves behind a ton of information that you know, traditional 92 00:04:17.240 --> 00:04:18.680 forensics can only dream of. 93 00:04:18.920 --> 00:04:19.519 Oh that's true. 94 00:04:19.560 --> 00:04:23.879 We're talking time stamps, file access logs, internet history. I mean, 95 00:04:23.879 --> 00:04:24.759 the list goes on and on. 96 00:04:24.879 --> 00:04:27.199 So it's a double edged sword, right, It is more fragile, 97 00:04:27.240 --> 00:04:31.279 but also potentially way more revealing exactly. 98 00:04:30.920 --> 00:04:33.639 And this brings us back to low cards exchange principle, 99 00:04:33.680 --> 00:04:36.800 which is like the couinderstone of forensic science. 100 00:04:36.879 --> 00:04:39.360 Okay, remind me what's low cards exchange principle again. 101 00:04:39.480 --> 00:04:43.120 It basically states that whenever two objects interact, they leave 102 00:04:43.199 --> 00:04:46.639 traces on each other, right, right, So like paint transfer 103 00:04:46.720 --> 00:04:50.040 in a car accident, fingerprints at a crime scene. Well, 104 00:04:50.160 --> 00:04:53.680 in the digital world, those traces, those digital footprints, they're 105 00:04:53.720 --> 00:04:55.680 often even more numerous and detailed. 106 00:04:55.720 --> 00:04:59.079 Oh that's interesting. So every click, every download, every email, 107 00:04:59.160 --> 00:05:02.680 every like everything is leaving a mark somewhere. 108 00:05:03.000 --> 00:05:06.800 You got it. And that's why in this Fills Awesome 109 00:05:06.800 --> 00:05:12.040 Stuff case, Polstra really emphasizes preserving that digital crime scene 110 00:05:12.240 --> 00:05:14.000 as meticulously as possible. 111 00:05:14.079 --> 00:05:16.680 Okay, it makes sense. So let's say we're called in 112 00:05:16.959 --> 00:05:20.879 to investigate this compromise web server at Phill's Awesome Stuff. 113 00:05:21.399 --> 00:05:23.480 What are like the first things we need to keep 114 00:05:23.480 --> 00:05:26.759 in mind? What are the guiding principles as we start 115 00:05:26.800 --> 00:05:27.560 our investigation. 116 00:05:27.680 --> 00:05:31.519 Okay, the absolute top priority, the golden rule, is maintaining 117 00:05:31.600 --> 00:05:34.360 the integrity of the evidence. Think of it like this, 118 00:05:35.360 --> 00:05:39.000 any action you take on a compromised system. Even something small, 119 00:05:39.519 --> 00:05:42.680 it has the potential to change the original state. So 120 00:05:42.759 --> 00:05:45.079 before you even touch the system, you got to make 121 00:05:45.079 --> 00:05:46.519 a forensic copy of the hard drive. 122 00:05:46.600 --> 00:05:49.040 No, it's not just like copying and pasting files, right, 123 00:05:49.079 --> 00:05:51.639 we're talking about a bit for bit replica, a clone 124 00:05:52.000 --> 00:05:55.160 of the entire drive. Why is that so crucial. 125 00:05:54.839 --> 00:05:57.759 Because even something that seems harmless, like just opening a file, 126 00:05:58.040 --> 00:05:59.959 it can change the file's metadata at a day. 127 00:06:00.240 --> 00:06:02.959 That's the time stamps, that access records, all that behind 128 00:06:02.959 --> 00:06:03.759 the scenes stuff, you. 129 00:06:03.720 --> 00:06:06.560 Got it, all that juicy stuff that helps us reconstruct 130 00:06:06.560 --> 00:06:08.160 the what happened the timeline. 131 00:06:08.279 --> 00:06:11.040 So we're working on a copy to avoid messing up 132 00:06:11.040 --> 00:06:12.800 the original evidence exactly. 133 00:06:13.240 --> 00:06:16.160 And while we're preserving that evidence, we got to document 134 00:06:16.199 --> 00:06:18.800 every single step we take during the investigation. Makes us 135 00:06:18.839 --> 00:06:21.360 who accessed what, when and for what reason. 136 00:06:21.560 --> 00:06:24.000 Oh so that creates a chain of custody, that's. 137 00:06:23.920 --> 00:06:26.439 Right, the chain of custody proving that the evidence is 138 00:06:26.560 --> 00:06:28.839 authentic and hasn't been tampered with. 139 00:06:29.399 --> 00:06:31.480 So it's not just about catching the bad guy, it's 140 00:06:31.519 --> 00:06:34.000 about doing it in a way that's airtight, you know, 141 00:06:34.519 --> 00:06:38.079 like building a legal case alongside the technical investigation. 142 00:06:38.240 --> 00:06:38.759 Percisely. 143 00:06:38.959 --> 00:06:43.360 Okay, So documentation super important. Are there any other standard 144 00:06:43.439 --> 00:06:49.040 practices or guidelines that are like super crucial in Linux forensics. 145 00:06:49.240 --> 00:06:52.720 Yeah, sticking to established procedures, that's super important. It's like 146 00:06:53.120 --> 00:06:56.040 having a recipe, you know, for your investigator. 147 00:06:55.480 --> 00:06:57.199 A recipe, okay, Yeah. 148 00:06:57.279 --> 00:07:01.160 It ensures consistency, helps you avoid makeing those silly mistakes, 149 00:07:01.720 --> 00:07:03.639 and makes your findings more credible in the end. 150 00:07:03.800 --> 00:07:07.199 So it's not just about doing things right, it's about 151 00:07:07.199 --> 00:07:10.800 doing them in a like a standardized, replicable way, like 152 00:07:10.959 --> 00:07:14.560 a scientific method, but for digital detective work exactly. 153 00:07:15.000 --> 00:07:19.720 And Polstra in his book he outlines these procedures. He 154 00:07:19.800 --> 00:07:23.399 walks you through the three main phases of a digital 155 00:07:23.399 --> 00:07:24.319 investigation out. 156 00:07:24.319 --> 00:07:25.240 There are phases. 157 00:07:25.399 --> 00:07:28.240 There are you got evidence preservation, which we just talked about. 158 00:07:28.480 --> 00:07:30.720 Then there's the searching phase where you're digging through the 159 00:07:30.800 --> 00:07:34.560 data for those clues. And finally event reconstruction. 160 00:07:34.879 --> 00:07:38.519 Event reconstruction, so you secure the scene, then you hunt 161 00:07:38.560 --> 00:07:41.480 for clues, and then finally you try to piece together 162 00:07:41.920 --> 00:07:44.800 like the narrative, what actually happened. 163 00:07:44.399 --> 00:07:48.839 You got it. But in practice, those phases they often overlap, 164 00:07:49.040 --> 00:07:50.560 you know, they kind of blur together. 165 00:07:50.759 --> 00:07:51.639 Yeah, and see that. 166 00:07:51.680 --> 00:07:54.319 Like, for example, that dilemma of pulling the plug, you know, 167 00:07:54.439 --> 00:07:57.839 shutting down the system, right, right, that decision you often 168 00:07:57.879 --> 00:08:00.399 have to make that during the evidence preservation phase. 169 00:08:00.439 --> 00:08:03.519 Oh, that's right, because the longer the system is running, 170 00:08:03.639 --> 00:08:06.160 the more time the malware has to cover its tracks. 171 00:08:06.160 --> 00:08:09.560 But shutting it down could mean losing vital data. It's 172 00:08:09.560 --> 00:08:11.279 like a catch twenty two exactly. 173 00:08:11.560 --> 00:08:14.120 It's a tough call and there's no one size fits 174 00:08:14.120 --> 00:08:16.800 all answer, you know. It depends on the situation, the 175 00:08:16.839 --> 00:08:19.319 type of malware we're dealing with, what we're hoping to achieve. 176 00:08:19.800 --> 00:08:22.759 So sometimes it's a judgment call, right, weighing those risks 177 00:08:22.759 --> 00:08:24.920 and benefits of each action precisely. 178 00:08:25.279 --> 00:08:27.680 And this leads us to kind of the idea of 179 00:08:27.759 --> 00:08:29.079 dead versus live. 180 00:08:29.040 --> 00:08:31.439 Analysis, Dead versus live what's that? 181 00:08:31.720 --> 00:08:36.039 So? Dead analysis that's when we're examining a system that's offline. 182 00:08:36.320 --> 00:08:37.320 Offline, Yeah, like. 183 00:08:37.279 --> 00:08:41.240 Analyzing that disk imagery talked about. Live analysis, Well, that's 184 00:08:41.240 --> 00:08:43.919 when we're interacting with a system that's still running. 185 00:08:44.120 --> 00:08:47.559 Okay, So dead analysis is like studying a frozen snapshot. 186 00:08:47.679 --> 00:08:48.000 Yeah. 187 00:08:48.039 --> 00:08:51.159 Well, live analysis is more like observing the system in 188 00:08:51.279 --> 00:08:52.600 action as it's happening. 189 00:08:52.879 --> 00:08:55.080 That's a great way to put it. Both approaches have 190 00:08:55.200 --> 00:08:58.840 their you know, pluses and minuses, advantages and disadvantages. Yeah, 191 00:08:58.879 --> 00:09:01.200 and the choice it really depends on the goals of 192 00:09:01.240 --> 00:09:02.000 the investigation. 193 00:09:02.240 --> 00:09:04.440 Makes sense. Okay, So let's say we've decided to do 194 00:09:04.480 --> 00:09:07.960 some analysis. What kind of tools would we need in 195 00:09:08.000 --> 00:09:11.480 our digital detective kit? Ah, the tools I'm picturing like 196 00:09:11.799 --> 00:09:13.559 something straight out of a spy movie. 197 00:09:13.720 --> 00:09:17.279 Well, on the hardware side, you'll need external hard drives, 198 00:09:17.639 --> 00:09:19.559 you know, to store those forensic copies. 199 00:09:19.679 --> 00:09:19.879 Right. 200 00:09:20.159 --> 00:09:23.080 USB three point zero is usually the best. It's fast, okay, 201 00:09:23.320 --> 00:09:27.000 but sometimes those older USB two point zero drives. They're 202 00:09:27.039 --> 00:09:30.759 better for compatibility with virtual machines, oh okay. And absolutely 203 00:09:30.840 --> 00:09:32.200 essential are right blockers. 204 00:09:32.440 --> 00:09:33.080 Right blockers. 205 00:09:33.120 --> 00:09:35.960 Yeah, they prevent you from accidentally modifying the evidence. 206 00:09:36.080 --> 00:09:39.879 So it's like a safety guard for our digital evidence exactly. 207 00:09:39.919 --> 00:09:44.000 Think of them as like gloves for a surgeon. You know, 208 00:09:44.360 --> 00:09:47.720 you wouldn't operate without gloves, and you shouldn't image a 209 00:09:47.799 --> 00:09:49.240 drive without a right blocker. 210 00:09:49.320 --> 00:09:52.320 Good analogy. And you want to dedicate a forensics workstation 211 00:09:52.440 --> 00:09:55.120 right absolutely completely separate from the compromise system. 212 00:09:55.159 --> 00:09:57.120 Yeah, you don't want to be installing anything on the 213 00:09:57.159 --> 00:09:59.080 suspect machine. You got to work on a copy on 214 00:09:59.120 --> 00:10:01.399 a separate system to avoid any contamination. 215 00:10:01.679 --> 00:10:04.399 Right, makes sense, But what about software? Do we need 216 00:10:04.919 --> 00:10:06.960 expensive specialized tools for this? 217 00:10:07.639 --> 00:10:12.240 Here's the beauty of Linux forensics. There are tons of 218 00:10:12.279 --> 00:10:15.039 free and open source tools out there that are incredibly powerful. 219 00:10:15.080 --> 00:10:15.879 Oh that's awesome. 220 00:10:16.200 --> 00:10:19.279 And Polstra he actually includes a script in his book 221 00:10:19.639 --> 00:10:22.320 that installs a whole bunch of these tools automatically. 222 00:10:22.440 --> 00:10:24.960 Oh wow, So it's like setting up your digital forensics 223 00:10:25.039 --> 00:10:26.279 lab with a single command. 224 00:10:26.559 --> 00:10:27.480 That's the idea. 225 00:10:27.519 --> 00:10:29.919 That's amazing. It sounds like Linux is a great platform 226 00:10:29.960 --> 00:10:30.639 for this kind of work. 227 00:10:30.799 --> 00:10:33.879 It really is. But remember, no matter how powerful your 228 00:10:33.919 --> 00:10:37.759 tools are, the key is to use them responsibly ethically. 229 00:10:37.960 --> 00:10:39.360 Right, of course, our. 230 00:10:39.240 --> 00:10:43.080 Goal is to minimize disturbance to the subject system. Think 231 00:10:43.080 --> 00:10:45.960 of it like walking through a like a delicate crime scene. 232 00:10:46.080 --> 00:10:48.399 You want to leave the smallest footprint. 233 00:10:47.960 --> 00:10:51.399 Possible, right, So avoid installing anything on the suspect system, 234 00:10:51.759 --> 00:10:55.039 create that copy first, and use those tools responsibly. 235 00:10:55.200 --> 00:10:58.639 Got it exactly. And when it comes to discreetly gathering data, 236 00:10:59.159 --> 00:11:02.000 tools like net cat can be incredibly handy. 237 00:11:02.279 --> 00:11:05.000 Netcat that sounds like something a hacker would use. 238 00:11:05.159 --> 00:11:07.559 It can be used for both good and bad. But 239 00:11:07.720 --> 00:11:10.120 in our context, it's a way to create a secure 240 00:11:10.240 --> 00:11:13.799 channel between the suspect system and our workstation. We can 241 00:11:13.840 --> 00:11:17.159 send commands, get data back, all without leaving a trace 242 00:11:17.200 --> 00:11:18.480 on the compromise machine. 243 00:11:18.559 --> 00:11:21.519 Okay, so netcat is like our secret back door for 244 00:11:21.559 --> 00:11:24.600 collecting evidence. I'm starting to feel like a real digital 245 00:11:24.639 --> 00:11:25.360 detective here. 246 00:11:25.519 --> 00:11:26.240 That's the spirit. 247 00:11:26.360 --> 00:11:27.120 This is exciting. 248 00:11:27.320 --> 00:11:30.399 It's a combination of technical skills and that old fashioned 249 00:11:30.399 --> 00:11:31.440 detective intuition. 250 00:11:31.799 --> 00:11:35.240 Well said, So we've gathered our initial data, we've got 251 00:11:35.240 --> 00:11:37.480 our tools ready to go, and now we're about to 252 00:11:37.600 --> 00:11:40.320 enter the live analysis phase. Live analysis here we go, 253 00:11:40.519 --> 00:11:43.360 assuming of course, that we've determined there's actually an incident 254 00:11:43.399 --> 00:11:46.559 to investigate. Where do we even begin. 255 00:11:47.000 --> 00:11:49.080 One of the first things to zero in on is 256 00:11:49.240 --> 00:11:50.279 file metadata. 257 00:11:50.639 --> 00:11:52.240 File metadata, Yeah. 258 00:11:52.080 --> 00:11:56.679 Timestamps, permissions, ownership, all those little details can be incredibly revealing. 259 00:11:56.879 --> 00:12:00.120 So it's like reconstructing the story of what happened, and 260 00:12:00.399 --> 00:12:04.840 based on when and how files were created, modified, or accessed. 261 00:12:04.960 --> 00:12:07.360 You got it, and don't forget about user command history. 262 00:12:07.679 --> 00:12:09.639 It can give us a glimpse into what actions both 263 00:12:09.759 --> 00:12:12.639 legitimate users and potential attackers took on the system. 264 00:12:12.720 --> 00:12:15.679 Oh, right, like a trail of digital breadcrumbs exactly. 265 00:12:15.720 --> 00:12:18.200 And log files they are another gold mine of information 266 00:12:18.600 --> 00:12:21.600 system events, log in attempts, air messages, it's all there, 267 00:12:21.799 --> 00:12:23.000 just waiting to be analyzed. 268 00:12:23.039 --> 00:12:26.120 Wow. So it's like having a detailed chronicle of the 269 00:12:26.159 --> 00:12:27.480 system's activity. 270 00:12:27.159 --> 00:12:31.519 Precisely, and sometimes we need to go even deeper and 271 00:12:31.679 --> 00:12:35.919 capture the entire system state. That's where ram dumps come. 272 00:12:35.799 --> 00:12:38.000 In a ramdomp, what's that all about. 273 00:12:38.120 --> 00:12:41.279 It's basically creating a snapshot of everything that's in the 274 00:12:41.279 --> 00:12:45.080 computer's memory at a specific moment in time. It's like 275 00:12:45.399 --> 00:12:48.039 freezing the brain of the computer, seeing what it was 276 00:12:48.080 --> 00:12:49.440 thinking at that exact moment. 277 00:12:49.639 --> 00:12:52.039 That's impressive, but I imagine it's pretty challenging to do. 278 00:12:52.320 --> 00:12:55.519 It can be tricky, but there are tools designed specifically 279 00:12:55.559 --> 00:12:59.039 for this purpose. One of them is called line BLI me. Yeah, 280 00:12:59.279 --> 00:13:02.759 capturing a complete an accurate RAM dump is a delicate process, 281 00:13:03.200 --> 00:13:06.519 but the insights you can glean from it, they're often invaluable. 282 00:13:06.559 --> 00:13:09.360 Okay, so we've collected that volatile data from the running system, 283 00:13:09.639 --> 00:13:12.200 but what about the data stored on the hard drive itself. 284 00:13:12.320 --> 00:13:14.120 That's where disk images come into play. 285 00:13:14.159 --> 00:13:15.720 Disk images creating a. 286 00:13:15.679 --> 00:13:19.480 Forensic image of the hard drive is crucial for preserving 287 00:13:19.480 --> 00:13:22.360 the evidence and ensuring we have a complete copy to 288 00:13:22.360 --> 00:13:22.720 work with. 289 00:13:22.879 --> 00:13:25.159 Right, So it's not just copying files, but creating a 290 00:13:25.159 --> 00:13:27.600 bit for bit replica of the entire drive. 291 00:13:27.720 --> 00:13:30.159 You, got it. And there are different formats for these images, 292 00:13:30.720 --> 00:13:33.320 like raw images. Those are exact copies, and then there 293 00:13:33.320 --> 00:13:37.440 are proprietary formats that offer compression or some extra features. 294 00:13:37.080 --> 00:13:41.080 Okay, And which tools are commonly used to create these images. 295 00:13:41.360 --> 00:13:44.639 DD is a classic a command line tool, but for forensics 296 00:13:44.559 --> 00:13:49.399 we often use DCFLTD DCLLTD. Yeah, it's basically like DD 297 00:13:49.559 --> 00:13:50.879 on steroids. 298 00:13:50.759 --> 00:13:55.080 DC LTD on steroids. That sounds intense. 299 00:13:55.240 --> 00:13:59.360 It's more robust, more reliable. It has features like verifying 300 00:13:59.360 --> 00:14:02.320 the integrity the image as it's been created and splitting 301 00:14:02.360 --> 00:14:03.919 it into multiple files if you need to. 302 00:14:04.080 --> 00:14:04.799 Oh, that's handy. 303 00:14:04.879 --> 00:14:06.480 And of course we always use it in conjunction with 304 00:14:06.480 --> 00:14:08.480 a right blocker, just to be extra careful. 305 00:14:08.600 --> 00:14:10.440 Right, safety first, So it's. 306 00:14:10.240 --> 00:14:13.039 Like having a safety net, a quality control check all 307 00:14:13.120 --> 00:14:13.840 rolled into one. 308 00:14:14.000 --> 00:14:16.399 Got it. And if possible, it's always best to image 309 00:14:16.399 --> 00:14:19.320 the entire drive, right, right, not just specific partitions. 310 00:14:19.399 --> 00:14:21.720 Yeah, you never know where those valuable clues might be hiding. 311 00:14:21.960 --> 00:14:24.840 Makes sense. It's like searching every nook and cranny of 312 00:14:24.879 --> 00:14:29.480 the digital crime scene. So we've created our image, what's next. 313 00:14:29.840 --> 00:14:32.679 The next step is to mount the image. Mount it, yeah, 314 00:14:32.799 --> 00:14:36.360 which basically means making it accessible to our forensic tools 315 00:14:36.559 --> 00:14:39.440 as if it were a physical drive plugged into our workstation. 316 00:14:39.639 --> 00:14:42.039 Oh okay, so it's like virtually plugging in the hard 317 00:14:42.120 --> 00:14:44.039 drive and exploring its content exactly. 318 00:14:44.120 --> 00:14:46.679 But before we mount the image, we need to figure 319 00:14:46.679 --> 00:14:48.279 out its partitioning scheme. 320 00:14:48.519 --> 00:14:50.159 Partitioning scheme, yeah, it's. 321 00:14:50.080 --> 00:14:53.000 Basically how the drive is divided up into these logical sections. 322 00:14:53.080 --> 00:14:55.519 Oh right, right, like those C and D drives and 323 00:14:55.559 --> 00:14:56.759 Windows exactly. 324 00:14:57.000 --> 00:15:00.519 Yeah. But Linux it uses different partitioning schemes. 325 00:15:00.559 --> 00:15:01.120 Oh okay. 326 00:15:01.200 --> 00:15:04.279 The most common ones are MBR, which is the older scheme, 327 00:15:04.600 --> 00:15:07.440 and then there's GP, which is newer and can handle 328 00:15:07.559 --> 00:15:08.480 much larger drives. 329 00:15:08.519 --> 00:15:11.120 Okay, so GPT is the way to go, right if 330 00:15:11.120 --> 00:15:12.559 we're dealing with a modern system. 331 00:15:12.919 --> 00:15:16.600 Ideally, yes, but for compatibility reasons, you really need to 332 00:15:16.639 --> 00:15:19.919 know both. Think of it, like knowing both metric and 333 00:15:19.960 --> 00:15:24.360 imperial measurements. Sometimes you encounter those older systems that still cling. 334 00:15:24.080 --> 00:15:26.879 To the old ways, right, right, So how do we 335 00:15:26.919 --> 00:15:30.080 figure out the partitioning scheme of our disk image? 336 00:15:30.240 --> 00:15:32.639 We use a tool called f disc. It's a command 337 00:15:32.720 --> 00:15:37.120 line utility that can analyze the drive without making any changes. Okay, 338 00:15:37.200 --> 00:15:38.720 kind of like a harmless X ray. 339 00:15:38.879 --> 00:15:42.080 So it's like reading the blueprint of the drive, seeing 340 00:15:42.080 --> 00:15:45.679 how it's structured and where each partition is located exactly. 341 00:15:45.799 --> 00:15:47.960 And once we have that information, we can use the 342 00:15:48.000 --> 00:15:52.679 mount command to make those specific partitions accessible for analysis. 343 00:15:52.879 --> 00:15:55.320 Sound straightforward enough, but I imagine it can get pretty 344 00:15:55.320 --> 00:15:57.279 tedious if you're dealing with a lot of partitions. 345 00:15:57.440 --> 00:16:00.840 You're right. That's where scripting can be a lifesaver. Polster's 346 00:16:00.840 --> 00:16:03.919 book shows you how to automate this whole process using Python. 347 00:16:04.159 --> 00:16:04.360 Oh. 348 00:16:04.519 --> 00:16:07.279 Python, Yeah, it's like having a robot assistant handling all 349 00:16:07.320 --> 00:16:08.720 those repetitive tasks. 350 00:16:08.840 --> 00:16:11.159 So we can write these Python scripts to identify the 351 00:16:11.200 --> 00:16:16.639 partitioning scheme, locate the partitions, and mount them all automatically exactly. 352 00:16:16.679 --> 00:16:19.039 It makes the whole process much more efficient and less 353 00:16:19.240 --> 00:16:24.759 prone to those pesky human errors. And speaking of efficiency, 354 00:16:25.120 --> 00:16:28.279 importing filesystem data into a database, now that can be 355 00:16:28.320 --> 00:16:31.080 a real game changer for analysis databases. 356 00:16:31.279 --> 00:16:34.600 Yeah, now I thought those were for like storing structured 357 00:16:34.639 --> 00:16:37.840 data like customer information or financial transactions. 358 00:16:37.879 --> 00:16:41.600 They are, but they can also be incredibly powerful tools 359 00:16:41.960 --> 00:16:46.399 for forensic analysis. Okay, imagine having this supercharged search engine 360 00:16:46.440 --> 00:16:49.399 for all your evidence. Instead of manually digging through those files, 361 00:16:49.679 --> 00:16:52.600 you can use SQL queries to pinpoint very specific information, 362 00:16:52.960 --> 00:16:56.960 identify patterns, generate timelines, and all much much faster. 363 00:16:57.120 --> 00:16:59.480 Oh wow, Okay, that's starting to sound really useful. Can 364 00:16:59.480 --> 00:17:01.320 you give me like a concrete example of how this 365 00:17:01.399 --> 00:17:01.799 might work. 366 00:17:01.879 --> 00:17:05.119 Sure, Let's say you suspect that someone was stealing sensitive 367 00:17:05.200 --> 00:17:09.400 data from Phil's awesome stuff. With a database, you could import, 368 00:17:09.640 --> 00:17:13.039 like the file axislogs user login records and then write 369 00:17:13.039 --> 00:17:15.920 a query that says, show me all the files accessed 370 00:17:15.960 --> 00:17:19.119 by this specific user during these specific hours, and tell 371 00:17:19.160 --> 00:17:21.079 me whether those files were sent over the network. 372 00:17:21.279 --> 00:17:24.519 Wow, that's incredibly specific. It's like having laser focus on 373 00:17:24.559 --> 00:17:27.400 the exact data we need exactly. 374 00:17:27.119 --> 00:17:29.960 And databases they allow for much more complex queries than 375 00:17:30.000 --> 00:17:31.319 your typical forensic tools. 376 00:17:31.400 --> 00:17:33.640 So it's not just about finding a needle in a haystack, 377 00:17:33.680 --> 00:17:36.359 it's about analyzing the whole haystack in seconds. 378 00:17:36.559 --> 00:17:39.400 You got it, impolster. He actually shares a real world 379 00:17:39.480 --> 00:17:43.119 case where those prepackaged forensic tools that were just hitting 380 00:17:43.160 --> 00:17:46.759 their limits and importing the data into a database, Well 381 00:17:46.839 --> 00:17:49.200 that's what allowed him to crack the case wide open. 382 00:17:49.279 --> 00:17:52.200 Wow, I'm starting to see why databases are becoming so 383 00:17:52.400 --> 00:17:55.519 essential in digital forensics. But let's step back for a 384 00:17:55.519 --> 00:17:59.480 moment and talk about timeline analysis. Timeline analysis, you've mentioned 385 00:17:59.519 --> 00:18:01.640 it a few times already. Yeah, how do we even 386 00:18:01.720 --> 00:18:05.960 go about creating a timeline of events on a compromise system? 387 00:18:06.240 --> 00:18:09.880 And like, how reliable is that timeline? Can we trust it? 388 00:18:10.400 --> 00:18:13.359 Creating a timeline it's often the key to figuring out 389 00:18:13.359 --> 00:18:16.799 what happened. And when we use time stamps from files, 390 00:18:16.839 --> 00:18:20.039 from log in records, system logs, any source we can 391 00:18:20.039 --> 00:18:20.599 get our hands on. 392 00:18:20.680 --> 00:18:21.960 Oh okay, pulling it all together. 393 00:18:22.039 --> 00:18:24.319 But here's the catch time stamps. 394 00:18:24.519 --> 00:18:26.680 They can be manipulated, so we can't just take them 395 00:18:26.720 --> 00:18:30.640 at face value. We need to be like skeptical exactly. 396 00:18:31.000 --> 00:18:34.960 Think of time stamps as clues, not absolute truths. You 397 00:18:35.039 --> 00:18:38.640 got to look for inconsistencies, suspicious patterns, time stamps that 398 00:18:38.759 --> 00:18:41.119 just don't make sense in the context of other evidence. 399 00:18:41.359 --> 00:18:44.400 Okay, So, like if we see a file modified before 400 00:18:44.400 --> 00:18:47.079 it was supposedly created, that's a red flag. 401 00:18:46.799 --> 00:18:49.599