WEBVTT

1
00:00:00.240 --> 00:00:02.680
<v Speaker 1>Have you ever wondered what truly happens to your digital

2
00:00:02.720 --> 00:00:05.879
<v Speaker 1>data when you hit the lead, or how a hidden

3
00:00:05.919 --> 00:00:09.199
<v Speaker 1>file on a hard drive can unravel a multimillion dollar fraud.

4
00:00:09.759 --> 00:00:13.400
<v Speaker 1>Today we're plunging into the intricate, often surprising world of

5
00:00:13.439 --> 00:00:16.760
<v Speaker 1>computer forensics. Our guide for this deep dive is Hacking

6
00:00:16.839 --> 00:00:20.960
<v Speaker 1>Exposed Computer Forensics, second edition of foundational text that's really

7
00:00:20.960 --> 00:00:22.679
<v Speaker 1>been instrumental in shaping this field.

8
00:00:22.839 --> 00:00:25.399
<v Speaker 2>Yeah, and what's truly fascinating is how far this field

9
00:00:25.399 --> 00:00:28.039
<v Speaker 2>has evolved. It's way beyond just recovering a lost file.

10
00:00:28.079 --> 00:00:32.520
<v Speaker 2>Now today computer forensics is well indispensable and almost every

11
00:00:32.520 --> 00:00:38.079
<v Speaker 2>type of investigation, from intricate corporate espionage to widespread cybercrime.

12
00:00:38.520 --> 00:00:41.200
<v Speaker 2>Our mission here is really to distill the core processes,

13
00:00:41.439 --> 00:00:44.880
<v Speaker 2>unveil the surprising types of digital evidence, and show you

14
00:00:44.920 --> 00:00:48.240
<v Speaker 2>how expert investigators don't just figure out what happened, but

15
00:00:48.520 --> 00:00:53.200
<v Speaker 2>critically why, uncovering intent. And this book even introduces a

16
00:00:53.280 --> 00:00:57.039
<v Speaker 2>unique risk grading system for various techniques and vulnerabilities, which

17
00:00:57.079 --> 00:00:59.719
<v Speaker 2>isn't just academic right, It's more like a strategic lens

18
00:00:59.799 --> 00:01:02.399
<v Speaker 2>of feeling where the digital battlefield is most vulnerable. It

19
00:01:02.439 --> 00:01:06.560
<v Speaker 2>forces investigators to prioritize their efforts against the highest impact threats.

20
00:01:06.640 --> 00:01:09.200
<v Speaker 1>Okay, so who are the minds behind this crucial knowledge?

21
00:01:09.200 --> 00:01:11.680
<v Speaker 1>Because this isn't just theory, right, It's forged by a

22
00:01:11.680 --> 00:01:15.879
<v Speaker 1>formidable team of real world practitioners. We're talking high tech investigators,

23
00:01:16.159 --> 00:01:19.879
<v Speaker 1>legal experts specializing in digital evidence, even former federal agents.

24
00:01:20.079 --> 00:01:24.079
<v Speaker 1>That diverse background means the book doesn't just theorize, it

25
00:01:24.120 --> 00:01:28.599
<v Speaker 1>delivers practical how to knowledge, stuff grounded in countless real cases.

26
00:01:28.920 --> 00:01:32.040
<v Speaker 2>Indeed, Yeah, we're talking about individuals like Aaron Phillip and

27
00:01:32.120 --> 00:01:35.840
<v Speaker 2>John Lovelin from Navigant Consulting. They bring vast experience in

28
00:01:35.959 --> 00:01:39.560
<v Speaker 2>IP theft, large scale data collection. John alone, I think

29
00:01:39.560 --> 00:01:43.079
<v Speaker 2>has led over one hundred investigations. That's huge. Then you've

30
00:01:43.079 --> 00:01:46.319
<v Speaker 2>got Rudy Peck who adds extensive hands on experience and

31
00:01:46.359 --> 00:01:50.480
<v Speaker 2>evidence recovery, especially with Windows systems. Peter Marketto's a law

32
00:01:50.519 --> 00:01:54.239
<v Speaker 2>firm partner, brings that critical legal perspective making sure findings

33
00:01:54.239 --> 00:01:57.920
<v Speaker 2>are court ready. And Andrew Rosen, He's renowned for developing

34
00:01:57.920 --> 00:02:01.200
<v Speaker 2>cutting edge investigative tools. Even the tech editor lewis a

35
00:02:01.280 --> 00:02:04.159
<v Speaker 2>Sharinghousen junior. You know, his background is a special agent

36
00:02:04.200 --> 00:02:08.159
<v Speaker 2>for the USPA's Criminal Investigation Division. That brings that vital

37
00:02:08.240 --> 00:02:12.280
<v Speaker 2>law enforcement practicality. So yeah, this collective, real world experience

38
00:02:12.319 --> 00:02:15.280
<v Speaker 2>is what makes the insights so actionable, so reliable.

39
00:02:15.439 --> 00:02:18.840
<v Speaker 1>Right and beyond the let's say, the cool tools, the

40
00:02:18.840 --> 00:02:22.400
<v Speaker 1>book really emphasizes a rigorous, methodical process. It's not just

41
00:02:22.479 --> 00:02:24.680
<v Speaker 1>what tech you use, but how you use it, isn't

42
00:02:24.680 --> 00:02:27.120
<v Speaker 1>it Because the end of the day, findings have to

43
00:02:27.120 --> 00:02:28.520
<v Speaker 1>stand up in court precisely.

44
00:02:28.560 --> 00:02:31.080
<v Speaker 2>Yeah, the foundation for sound forensic practice. It relies heavily

45
00:02:31.120 --> 00:02:36.439
<v Speaker 2>on established frameworks, the Electronic Discovery Reference Model EDRM, established

46
00:02:36.439 --> 00:02:39.159
<v Speaker 2>back in two thousand and five. That's highlighted as a flexible,

47
00:02:39.199 --> 00:02:43.280
<v Speaker 2>tested industry standard. Adopting it is absolutely crucial for ensuring

48
00:02:43.360 --> 00:02:46.560
<v Speaker 2>findings are defensible, admissible as evidence, no question.

49
00:02:46.840 --> 00:02:51.599
<v Speaker 1>So, okay, an incident happens, How does this process actually begin? Like,

50
00:02:51.680 --> 00:02:55.400
<v Speaker 1>what are the absolute first steps and investigator takes right?

51
00:02:55.439 --> 00:02:57.759
<v Speaker 2>Well, it kicks off with clearly determining the scope of

52
00:02:57.759 --> 00:03:00.319
<v Speaker 2>the investigation, what are we actually looking for, and then

53
00:03:00.400 --> 00:03:04.280
<v Speaker 2>identifying potential repositories basically figuring out where data that could

54
00:03:04.280 --> 00:03:06.599
<v Speaker 2>hold evidence might be hiding. This could be anything, you know,

55
00:03:06.879 --> 00:03:10.439
<v Speaker 2>a personal laptop, massive enterprise servers, maybe even a smartphone.

56
00:03:10.800 --> 00:03:14.319
<v Speaker 2>The next critical step is to strategize preservation. This means

57
00:03:14.360 --> 00:03:19.000
<v Speaker 2>taking immediate, decisive action to protect that data at all costs,

58
00:03:19.240 --> 00:03:22.439
<v Speaker 2>making sure it isn't modified or overwritten or destroyed. After

59
00:03:22.479 --> 00:03:25.240
<v Speaker 2>the incident, you want to freeze that digital scene exactly

60
00:03:25.319 --> 00:03:25.800
<v Speaker 2>as it was.

61
00:03:26.039 --> 00:03:29.360
<v Speaker 1>Okay, And once that data is protected, how do you

62
00:03:29.439 --> 00:03:32.400
<v Speaker 1>ensure its integrity, especially through what could be a long,

63
00:03:32.479 --> 00:03:36.080
<v Speaker 1>complex investigation. What are the absolute non negotiables to make

64
00:03:36.080 --> 00:03:37.159
<v Speaker 1>sure it stands up in court?

65
00:03:37.319 --> 00:03:39.479
<v Speaker 2>Ah? Okay. This is where the chain of custody becomes

66
00:03:39.680 --> 00:03:43.599
<v Speaker 2>just essential. It's a legal requirement. It's a meticulous record

67
00:03:43.639 --> 00:03:46.240
<v Speaker 2>of precisely who did what to the data when, right

68
00:03:46.240 --> 00:03:49.120
<v Speaker 2>from the moment it's collected to its final storage. And

69
00:03:49.199 --> 00:03:53.159
<v Speaker 2>to mathematically prove the evidence hasn't changed, experts use cryptographic

70
00:03:53.199 --> 00:03:56.840
<v Speaker 2>hashing functions, things like MT five and SAHA one. Think

71
00:03:56.879 --> 00:03:59.199
<v Speaker 2>of them like unique digital fingerprints.

72
00:03:58.719 --> 00:04:00.599
<v Speaker 1>Right like it checks some but much more robust.

73
00:04:00.719 --> 00:04:03.560
<v Speaker 2>Exactly even a single bit change in a massive file

74
00:04:03.759 --> 00:04:07.800
<v Speaker 2>completely alters this fingerprint, so it becomes undeniable mathematical proof

75
00:04:07.840 --> 00:04:11.520
<v Speaker 2>against tampering. Following this, investigators preview the data but only

76
00:04:11.599 --> 00:04:17.439
<v Speaker 2>using forensically approved, right protected tools that guarantees no inadvertent modifications.

77
00:04:18.040 --> 00:04:21.439
<v Speaker 2>Only after all these rigorous steps can the analysis truly begin,

78
00:04:21.920 --> 00:04:24.399
<v Speaker 2>which is the book calls the meat of the investigation,

79
00:04:24.720 --> 00:04:28.920
<v Speaker 2>and that demands both completeness, you know, thoroughness, and honestly

80
00:04:28.959 --> 00:04:29.800
<v Speaker 2>some creative thinking.

81
00:04:30.079 --> 00:04:33.240
<v Speaker 1>Given that rigorous process, you might wonder where do these

82
00:04:33.319 --> 00:04:36.279
<v Speaker 1>investigators actually begin their hunt for clues. It turns out

83
00:04:36.879 --> 00:04:38.720
<v Speaker 1>your computer is kind of an open book if you

84
00:04:38.720 --> 00:04:39.319
<v Speaker 1>know where to look.

85
00:04:39.399 --> 00:04:42.800
<v Speaker 2>That's right. Yeah. At its core, all digital data boils

86
00:04:42.839 --> 00:04:46.600
<v Speaker 2>down to binary just ones and zers, and this fundamental

87
00:04:46.600 --> 00:04:49.399
<v Speaker 2>truth is really the bedrock for forensics because it means

88
00:04:49.480 --> 00:04:52.519
<v Speaker 2>even when you delete something, those ones that dose often

89
00:04:52.600 --> 00:04:56.839
<v Speaker 2>persist on the drive. They're just waiting to be painstakingly reassembled.

90
00:04:57.399 --> 00:05:01.519
<v Speaker 2>So an investigator needs to understand the fundamental oponents, the bios,

91
00:05:01.680 --> 00:05:05.879
<v Speaker 2>the operating system Windows, Linux, Macintosh, and especially the physical

92
00:05:05.920 --> 00:05:08.079
<v Speaker 2>parts of a hard drive, the platters, the heads, the

93
00:05:08.079 --> 00:05:11.879
<v Speaker 2>spindles where data is actually stored in tracks, sectors, clusters.

94
00:05:12.199 --> 00:05:15.399
<v Speaker 2>The book covers various drive types too, like ide STA

95
00:05:15.480 --> 00:05:19.360
<v Speaker 2>SCSI SaaS. Understanding the nuances of these older and newer

96
00:05:19.439 --> 00:05:22.000
<v Speaker 2>drive types is crucial because each one kind of has

97
00:05:22.040 --> 00:05:25.279
<v Speaker 2>its own language for storing and retrieving data. Mastering these

98
00:05:25.319 --> 00:05:28.160
<v Speaker 2>distinctions means an investigator isn't just looking for data, they're

99
00:05:28.240 --> 00:05:31.319
<v Speaker 2>kind of speaking its native tongue, you know, unlocking evidence

100
00:05:31.360 --> 00:05:32.120
<v Speaker 2>others might miss.

101
00:05:32.240 --> 00:05:34.240
<v Speaker 1>But it's not just the main hard drive we're talking about,

102
00:05:34.319 --> 00:05:36.519
<v Speaker 1>is it. What about less common stuff or even like

103
00:05:36.800 --> 00:05:38.120
<v Speaker 1>ancient storage devices.

104
00:05:38.360 --> 00:05:43.680
<v Speaker 2>Absolutely? Yeah. While rare today floppy disks, they can surprisingly

105
00:05:43.720 --> 00:05:46.439
<v Speaker 2>still appear in investigations if the timeframe goes back far

106
00:05:46.560 --> 00:05:50.879
<v Speaker 2>enough and they pose unique formatting challenges. More commonly tape

107
00:05:50.920 --> 00:05:56.560
<v Speaker 2>backup drives like dat dds, dltsdlt lto. There is significant

108
00:05:56.600 --> 00:06:00.399
<v Speaker 2>source of archival evidence from servers, though acquiring DATTA from

109
00:06:00.439 --> 00:06:03.120
<v Speaker 2>them can be pretty complex, just due to the variety

110
00:06:03.160 --> 00:06:06.000
<v Speaker 2>of hardware and software involved. And you know, with the

111
00:06:06.040 --> 00:06:09.439
<v Speaker 2>explosion of personal tech memory technologies and digital cameras and

112
00:06:09.519 --> 00:06:13.000
<v Speaker 2>B three players and especially smartphones, these are now crucial

113
00:06:13.079 --> 00:06:16.839
<v Speaker 2>evidence sources. The book really stresses the absolute necessity of

114
00:06:16.920 --> 00:06:19.519
<v Speaker 2>using a read only mode for these devices. You cannot

115
00:06:19.600 --> 00:06:22.199
<v Speaker 2>risk modifying data during the forensic process.

116
00:06:21.879 --> 00:06:24.959
<v Speaker 1>Right, That makes sense. All this delicate data acquisition the analysis,

117
00:06:24.959 --> 00:06:28.040
<v Speaker 1>and it obviously demands a very specific environment. Tell Us

118
00:06:28.040 --> 00:06:30.360
<v Speaker 1>a bit about the highly secure setup of a proper

119
00:06:30.399 --> 00:06:31.160
<v Speaker 1>forensic lab.

120
00:06:31.319 --> 00:06:35.199
<v Speaker 2>Oh yeah, what's truly fascinating here is the sheer effort involved.

121
00:06:35.519 --> 00:06:39.399
<v Speaker 2>It's intense. You need robust physical access controls think high

122
00:06:39.439 --> 00:06:44.759
<v Speaker 2>grade locks, multi factor authentication, plus clear policies, procedures, meticulous

123
00:06:44.879 --> 00:06:47.160
<v Speaker 2>entry exit logs. You have to know who is in

124
00:06:47.199 --> 00:06:51.639
<v Speaker 2>there and when. Network access must be completely isolated ideally

125
00:06:51.680 --> 00:06:54.240
<v Speaker 2>an air gap literally no connection to the outside world,

126
00:06:54.279 --> 00:06:57.240
<v Speaker 2>or at least a fortress like firewall that's to prevent

127
00:06:57.279 --> 00:07:00.279
<v Speaker 2>any remote tampering or you know, spoilation of evidence and

128
00:07:00.360 --> 00:07:04.399
<v Speaker 2>critical environmental safeguards too, like advanced fire protection. Fireproof enclosures.

129
00:07:04.639 --> 00:07:06.680
<v Speaker 2>Got to protect the physical evidence itself and the.

130
00:07:06.600 --> 00:07:09.040
<v Speaker 1>Computers inside the lab. They must be specialized too, right,

131
00:07:09.120 --> 00:07:11.680
<v Speaker 1>This isn't just your everyday desktop running the analysis.

132
00:07:11.720 --> 00:07:14.360
<v Speaker 2>Not at all, No way. Forensic host computers. They require

133
00:07:14.360 --> 00:07:17.759
<v Speaker 2>immense processing power, tons of memory. They're dealing with potentially

134
00:07:18.000 --> 00:07:22.079
<v Speaker 2>vast amounts of data. Mubbile investigators often rely on specialized

135
00:07:22.120 --> 00:07:26.360
<v Speaker 2>portable hardware duplicating tools, things like forensic talent or hard copy.

136
00:07:26.920 --> 00:07:30.319
<v Speaker 2>These can copy data at incredible speeds like three gigabytes

137
00:07:30.319 --> 00:07:34.639
<v Speaker 2>per second or faster. That ensures rapid acquisition on site

138
00:07:34.680 --> 00:07:37.560
<v Speaker 2>for long term storage. Yeah, large sand or NAS systems

139
00:07:37.600 --> 00:07:40.360
<v Speaker 2>are ideal, but they're often cost prohibitive for most labs,

140
00:07:40.639 --> 00:07:43.639
<v Speaker 2>so you see clever solutions like external sator raid units.

141
00:07:43.959 --> 00:07:47.480
<v Speaker 2>The book highlights indispensable tools like forensically sound right blockers,

142
00:07:47.519 --> 00:07:50.399
<v Speaker 2>half stopy off use one example, and systems like the

143
00:07:50.439 --> 00:07:53.879
<v Speaker 2>image Master Solo three forensic, which images the suspects hard

144
00:07:53.959 --> 00:07:57.680
<v Speaker 2>drive but also does that critical cryptographic verification we talk about.

145
00:07:57.800 --> 00:07:59.959
<v Speaker 1>It's truly mind boggling how much data we in. It

146
00:08:00.040 --> 00:08:03.639
<v Speaker 1>certainly leave behind just trails everywhere. So this raised an

147
00:08:03.639 --> 00:08:06.439
<v Speaker 1>important question. Even if someone tries to cover their tracks,

148
00:08:06.920 --> 00:08:10.319
<v Speaker 1>what digital breadcrumbs do they inevitably leave that forensics can uncover.

149
00:08:10.720 --> 00:08:14.759
<v Speaker 2>You leave a surprisingly robust trail, often without even realizing it.

150
00:08:14.759 --> 00:08:19.199
<v Speaker 2>It's quite something. For instance, take Microsoft Office Forensics. It's

151
00:08:19.199 --> 00:08:22.199
<v Speaker 2>not just the document's content that provides clues, not at all.

152
00:08:22.519 --> 00:08:26.360
<v Speaker 2>The custom tab and file properties often reveals hidden metadata

153
00:08:26.879 --> 00:08:29.759
<v Speaker 2>things like a unique review cycle, iide, the email subject,

154
00:08:29.800 --> 00:08:33.320
<v Speaker 2>even the author email display name. These little bits connect

155
00:08:33.320 --> 00:08:37.360
<v Speaker 2>documents directly to users and their communications. The book even

156
00:08:37.399 --> 00:08:40.399
<v Speaker 2>mentions how older Word ninety seven documents actually contain the

157
00:08:40.519 --> 00:08:43.159
<v Speaker 2>MAI address of the network card that created them, like

158
00:08:43.159 --> 00:08:46.279
<v Speaker 2>a digital fingerprint tied to the hardware. And here's the kicker.

159
00:08:46.879 --> 00:08:50.240
<v Speaker 2>Even common features like quick save or autosave, they're not

160
00:08:50.279 --> 00:08:53.519
<v Speaker 2>just saving your work, they're creating temporary fragments of your

161
00:08:53.559 --> 00:08:57.720
<v Speaker 2>document and word documents. They can surprisingly store up to

162
00:08:57.840 --> 00:09:02.120
<v Speaker 2>five hundred plaintext undoe action five hundred. Seriously, it means

163
00:09:02.159 --> 00:09:05.360
<v Speaker 2>every keystroke, every little edit you thought you reversed, can

164
00:09:05.399 --> 00:09:09.399
<v Speaker 2>potentially be recovered, painting a very detailed picture of your activity.

165
00:09:09.519 --> 00:09:12.639
<v Speaker 1>Wow, okay, what about web browsing. Then everyone thinks, you know,

166
00:09:12.720 --> 00:09:15.000
<v Speaker 1>clearing their history is enough to erase their tracks.

167
00:09:15.240 --> 00:09:18.320
<v Speaker 2>Yeah, that's commonness, It absolutely is. Yeah, that's where OS

168
00:09:18.440 --> 00:09:21.360
<v Speaker 2>user logs come in. It's a gold mine. The Windows

169
00:09:21.440 --> 00:09:25.240
<v Speaker 2>User Assist Registry key, for example, tracks every single application

170
00:09:25.279 --> 00:09:27.960
<v Speaker 2>you run. Doesn't matter if you manually opened it, clicked

171
00:09:27.960 --> 00:09:30.720
<v Speaker 2>a shortcut, or even access to control panel setting it

172
00:09:30.799 --> 00:09:35.080
<v Speaker 2>logs it. This creates an invaluable, almost undeniable timeline of

173
00:09:35.159 --> 00:09:38.279
<v Speaker 2>user activity, even for things you thought were just temporary clicks.

174
00:09:38.519 --> 00:09:41.360
<v Speaker 1>And what about mobile devices, which are, let's face it,

175
00:09:41.440 --> 00:09:44.639
<v Speaker 1>practically extensions of ourselves. Now do they leave an even

176
00:09:44.720 --> 00:09:45.399
<v Speaker 1>richer trail.

177
00:09:45.679 --> 00:09:48.080
<v Speaker 2>Oh, they certainly do. I mean people are so comfortable,

178
00:09:48.200 --> 00:09:51.159
<v Speaker 2>so ingrained with their mobile devices, they often let their

179
00:09:51.159 --> 00:09:53.919
<v Speaker 2>defenses down. As the book puts it, that makes them

180
00:09:53.960 --> 00:09:57.200
<v Speaker 2>incredibly rich sources of evidence. Now, there are tons of

181
00:09:57.200 --> 00:10:00.639
<v Speaker 2>different acquisition methods. Over thirty seven are mentioned for various devices,

182
00:10:00.879 --> 00:10:03.759
<v Speaker 2>from old Palm pilots to Window cemobile, hundreds of cell

183
00:10:03.799 --> 00:10:09.559
<v Speaker 2>phone models. But the core data call logs, contacts, text messages, SMSMMS,

184
00:10:09.879 --> 00:10:13.519
<v Speaker 2>browser history, calendar events, sometimes even voice records. It's often

185
00:10:13.559 --> 00:10:18.000
<v Speaker 2>recoverable tools like Parabin's device seizure and in case they're

186
00:10:18.039 --> 00:10:22.159
<v Speaker 2>designed specifically for this kind of work. However, password protected

187
00:10:22.200 --> 00:10:26.720
<v Speaker 2>Windows mobile devices, they still pose a significant challenge. Active

188
00:10:26.720 --> 00:10:30.320
<v Speaker 2>sync often requires the password just to connect for forensic examination,

189
00:10:30.440 --> 00:10:31.360
<v Speaker 2>so that's a hurdle.

190
00:10:31.480 --> 00:10:34.759
<v Speaker 1>Okay, Now let's tackle maybe the most impactful application of

191
00:10:34.799 --> 00:10:38.240
<v Speaker 1>all this. How do forensic experts use these techniques to

192
00:10:38.279 --> 00:10:42.240
<v Speaker 1>expose crime and deception, especially when perpetrators actively try to

193
00:10:42.279 --> 00:10:44.399
<v Speaker 1>hide their tracks. This sounds like a real high stakes

194
00:10:44.440 --> 00:10:45.200
<v Speaker 1>cat and mouse game.

195
00:10:45.320 --> 00:10:49.879
<v Speaker 2>It absolutely is. Yeah, the book delves deep into defeating

196
00:10:49.919 --> 00:10:54.440
<v Speaker 2>anti forensic techniques, showcasing this very game. Like we said,

197
00:10:54.480 --> 00:10:57.679
<v Speaker 2>a common misconception is that deleting a file makes it disappear.

198
00:10:57.879 --> 00:11:01.200
<v Speaker 2>It just doesn't work that way most of the time. Now, wiping,

199
00:11:01.279 --> 00:11:04.200
<v Speaker 2>which means actually overwriting every bit of data, maybe with

200
00:11:04.360 --> 00:11:08.120
<v Speaker 2>zeros or random characters, that can make data unrecoverable, but

201
00:11:08.320 --> 00:11:11.320
<v Speaker 2>even that is often detectable. You might look for repeating

202
00:11:11.399 --> 00:11:16.360
<v Speaker 2>character patterns or identify the use of specific DODU wiping specifications.

203
00:11:16.360 --> 00:11:19.440
<v Speaker 2>It leaves its own kind of trace. Even reformatting a

204
00:11:19.440 --> 00:11:22.279
<v Speaker 2>hard drive isn't a silver bullet. Data carving can often

205
00:11:22.320 --> 00:11:25.840
<v Speaker 2>still recover snippets of information, email fragments, user assist logs

206
00:11:25.840 --> 00:11:28.000
<v Speaker 2>from that supposedly blank unallocated space.

207
00:11:28.080 --> 00:11:29.960
<v Speaker 1>Right, and what about encryption, That seems like a pretty

208
00:11:29.960 --> 00:11:31.799
<v Speaker 1>formidable shield against forensics.

209
00:11:32.159 --> 00:11:36.080
<v Speaker 2>Encryption, Yeah, whether it's symmetric or asymmetric, certainly poses a

210
00:11:36.159 --> 00:11:39.919
<v Speaker 2>significant hurdle, no doubt about it. However, tools exist like

211
00:11:40.039 --> 00:11:44.720
<v Speaker 2>Access Data's Password Recovery Toolkit or PRTK. It can potentially

212
00:11:44.720 --> 00:11:48.080
<v Speaker 2>crack encrypted files give enough time and computational power. It's

213
00:11:48.120 --> 00:11:51.799
<v Speaker 2>a brute force approach sometimes. Plus forensic software like FTK

214
00:11:51.960 --> 00:11:55.360
<v Speaker 2>can use something called entropy testing to identify whether a

215
00:11:55.360 --> 00:11:57.759
<v Speaker 2>file is encrypted in the first place. Even if it

216
00:11:57.759 --> 00:12:01.200
<v Speaker 2>can't immediately decrypt it. That tells you something's being hidden,

217
00:12:01.759 --> 00:12:04.879
<v Speaker 2>even simple obfuscation like ROT thirteen. I mean, it's rarely

218
00:12:05.000 --> 00:12:08.720
<v Speaker 2>used to hide serious data, but it's easily detectable. And surprisingly,

219
00:12:08.759 --> 00:12:12.799
<v Speaker 2>Microsoft has a long standing affair with ROT thirteen in

220
00:12:12.879 --> 00:12:13.759
<v Speaker 2>various contexts.

221
00:12:13.759 --> 00:12:14.240
<v Speaker 1>Apparently.

222
00:12:14.600 --> 00:12:17.399
<v Speaker 2>The book also highlights that even compressed files, things like

223
00:12:17.519 --> 00:12:20.759
<v Speaker 2>ZIP files, which seem inaccessible can often be opened and

224
00:12:20.799 --> 00:12:23.720
<v Speaker 2>searched directly by powerful tools like FTK and in case.

225
00:12:23.960 --> 00:12:26.639
<v Speaker 1>Okay, so, armed with all these techniques, how do investigators

226
00:12:26.639 --> 00:12:29.360
<v Speaker 1>apply them to real world crimes? Let's start with the

227
00:12:29.360 --> 00:12:32.159
<v Speaker 1>intellectual properties after IP theft. That's a huge concern for

228
00:12:32.240 --> 00:12:33.000
<v Speaker 1>businesses today.

229
00:12:33.120 --> 00:12:37.759
<v Speaker 2>Oh absolutely, IP theft, unauthorized removal of customer data, proprietary

230
00:12:37.799 --> 00:12:40.480
<v Speaker 2>source code. It's a massive risk for corporations. And the

231
00:12:40.480 --> 00:12:44.080
<v Speaker 2>book really emphasizes that USB thumb drives are a gigantic

232
00:12:44.240 --> 00:12:46.519
<v Speaker 2>risk just because they're so easy to use for mass

233
00:12:46.559 --> 00:12:49.960
<v Speaker 2>data removal. Plug it in, copy walk away forensics can

234
00:12:50.000 --> 00:12:52.559
<v Speaker 2>identify which specific drives were plugged in using the Windows

235
00:12:52.639 --> 00:12:55.240
<v Speaker 2>USB Store Registry key. Think of it like a digital

236
00:12:55.279 --> 00:12:59.600
<v Speaker 2>guestbook entry right. It even logs the device's unique ID. Then,

237
00:12:59.639 --> 00:13:02.679
<v Speaker 2>alongside this things like link files and bags and r

238
00:13:02.759 --> 00:13:05.799
<v Speaker 2>U entries. They act as digital breadcrumbs. They often reveal

239
00:13:05.799 --> 00:13:08.480
<v Speaker 2>which specific files were open from that external drive, maybe

240
00:13:08.519 --> 00:13:12.360
<v Speaker 2>even entire directory listings. That provides compelling evidence even long

241
00:13:12.399 --> 00:13:14.799
<v Speaker 2>after the drive itself is gone. And when it comes

242
00:13:14.840 --> 00:13:17.279
<v Speaker 2>to source code, investigators can find evidence of cuts and

243
00:13:17.320 --> 00:13:20.159
<v Speaker 2>pastes using hash comparisons or tools like the unit exit

244
00:13:20.159 --> 00:13:23.120
<v Speaker 2>of utility. They can spot even subtle changes or borrowings.

245
00:13:23.399 --> 00:13:27.039
<v Speaker 1>And for internal issues, things like employee misconduct, how detailed

246
00:13:27.039 --> 00:13:30.200
<v Speaker 1>can forensics get there? Is it just about surfing inappropriate websites?

247
00:13:30.399 --> 00:13:33.080
<v Speaker 2>Oh? It goes way beyond that employee misconduct. Yeah, it

248
00:13:33.080 --> 00:13:36.480
<v Speaker 2>extends far beyond maybe taking office supplies or slacking off.

249
00:13:36.919 --> 00:13:41.240
<v Speaker 2>Computer forensics can meticulously track inappropriate computer and internet use, sure,

250
00:13:41.799 --> 00:13:45.159
<v Speaker 2>but it can also identify harassment through recovered chat logs

251
00:13:45.559 --> 00:13:49.960
<v Speaker 2>or uncover violations of non compete agreements. Investigators can use

252
00:13:50.039 --> 00:13:53.440
<v Speaker 2>highly targeted keyword searches, looking for customer lists being copied,

253
00:13:53.480 --> 00:13:56.600
<v Speaker 2>for example, or even looking for code words employees might

254
00:13:56.639 --> 00:13:59.919
<v Speaker 2>use to communicate improperly on internal systems, trying to fly

255
00:14:00.080 --> 00:14:00.679
<v Speaker 2>under the radar.

256
00:14:00.879 --> 00:14:03.159
<v Speaker 1>Right, Okay, finally, let's look at one of the most

257
00:14:03.200 --> 00:14:07.759
<v Speaker 1>pervasive digital crimes fraud, whether it's employee fraud, corporate fraud,

258
00:14:07.799 --> 00:14:10.840
<v Speaker 1>consumer fraud. What does forensics reveal there?

259
00:14:11.000 --> 00:14:14.559
<v Speaker 2>Well, fraud schemes from employee embezzlement maybe right up to

260
00:14:15.000 --> 00:14:18.120
<v Speaker 2>huge corporate accounting scandals like Enron, or even things like

261
00:14:18.159 --> 00:14:22.000
<v Speaker 2>consumer identity theft and mortgage fraud. They often involve perpetrators

262
00:14:22.039 --> 00:14:24.919
<v Speaker 2>keeping a second set of books, you know, or creating

263
00:14:24.919 --> 00:14:29.120
<v Speaker 2>falsified documents. Forensics really excels at finding these hidden ledgers.

264
00:14:29.200 --> 00:14:32.320
<v Speaker 2>They're often just Excel or QuickBooks files tupped away somewhere,

265
00:14:32.799 --> 00:14:36.360
<v Speaker 2>and it can detect forged documents by analyzing temporary files,

266
00:14:36.399 --> 00:14:40.159
<v Speaker 2>looking in unallocated space, or even checking user assist logs

267
00:14:40.320 --> 00:14:43.720
<v Speaker 2>for patterns of activity like scanning, modifying, and printing documents.

268
00:14:44.240 --> 00:14:47.919
<v Speaker 2>For corruption involving things like bribery or kickbacks, tracing communications,

269
00:14:47.960 --> 00:14:50.960
<v Speaker 2>emails chats to build a social network of the involved

270
00:14:51.000 --> 00:14:55.320
<v Speaker 2>parties is absolutely key. Even in complex organized cybercrime, forensics

271
00:14:55.360 --> 00:14:57.600
<v Speaker 2>helps determine if malware exists on a system, how it

272
00:14:57.639 --> 00:14:59.919
<v Speaker 2>got there, and exactly what the hackers did by meticulously

273
00:15:00.120 --> 00:15:03.799
<v Speaker 2>reconstructing their activity from network logs and system artifacts. In

274
00:15:03.840 --> 00:15:06.879
<v Speaker 2>money laundering cases, investigators look for evidence of shell companies,

275
00:15:06.960 --> 00:15:10.399
<v Speaker 2>fake identities used in foreign banks, hidden accounting ledgers, tracking

276
00:15:10.399 --> 00:15:12.960
<v Speaker 2>illicit funds. It all leaves digital traces.

277
00:15:13.200 --> 00:15:17.559
<v Speaker 1>Okay, So all this incredibly detailed technical work, it eventually

278
00:15:17.600 --> 00:15:20.559
<v Speaker 1>culminates in the legal system. What does this all mean

279
00:15:20.600 --> 00:15:23.919
<v Speaker 1>when the rubber meets the road and these intricate findings

280
00:15:24.200 --> 00:15:25.240
<v Speaker 1>actually head to court?

281
00:15:25.679 --> 00:15:28.039
<v Speaker 2>Yeah, this raises a really important question, right, how do

282
00:15:28.080 --> 00:15:31.440
<v Speaker 2>you translate this highly complex technical stuff into something a

283
00:15:31.519 --> 00:15:34.440
<v Speaker 2>judge or a jury can understand and actually act upon.

284
00:15:35.240 --> 00:15:39.879
<v Speaker 2>The book underscores the absolutely crucial role of documentation. It's everything,

285
00:15:40.320 --> 00:15:43.960
<v Speaker 2>whether it's internal reports for the company, formal declarations for lawyers,

286
00:15:44.279 --> 00:15:47.759
<v Speaker 2>or sworn affidavits for the court. Investigators have to translate

287
00:15:47.840 --> 00:15:52.720
<v Speaker 2>complex technical findings into clear, concise, factual language language for

288
00:15:52.840 --> 00:15:56.559
<v Speaker 2>non technical audiences. And every single statement made must be

289
00:15:56.600 --> 00:16:00.000
<v Speaker 2>defensible based on firsthand knowledge. You have to avoid Hereston,

290
00:16:00.279 --> 00:16:01.679
<v Speaker 2>it has to be what you found.

291
00:16:01.879 --> 00:16:04.720
<v Speaker 1>And there's a significant difference in how evidence is handled

292
00:16:04.720 --> 00:16:06.879
<v Speaker 1>depending on whether it's a civil case or a criminal case.

293
00:16:06.919 --> 00:16:10.000
<v Speaker 1>Isn't there the implications for the victim, the person who's

294
00:16:10.039 --> 00:16:12.080
<v Speaker 1>computer it is can be quite different.

295
00:16:12.399 --> 00:16:15.519
<v Speaker 2>Indeed, Yeah, that's a key distinction. In criminal cases, law

296
00:16:15.559 --> 00:16:18.639
<v Speaker 2>enforcement often seizes the original media. They have to really

297
00:16:18.679 --> 00:16:21.200
<v Speaker 2>to establish that proper chain of custody, but that means

298
00:16:21.200 --> 00:16:24.120
<v Speaker 2>the complainant the victim may lose control of their own

299
00:16:24.159 --> 00:16:28.320
<v Speaker 2>equipment for potentially a very long time. However, in civil litigation,

300
00:16:28.440 --> 00:16:31.360
<v Speaker 2>the parties generally maintain more control over the whole dispute

301
00:16:31.360 --> 00:16:35.360
<v Speaker 2>resolution process. This often allows private forensic experts to just

302
00:16:35.480 --> 00:16:38.440
<v Speaker 2>image the systems, make a perfect copy, and preserve that

303
00:16:38.519 --> 00:16:42.600
<v Speaker 2>copy while the original computers or media are returned relatively quickly.

304
00:16:42.799 --> 00:16:46.679
<v Speaker 2>It minimizes disruption and as a testifying expert witness, you're

305
00:16:46.679 --> 00:16:49.480
<v Speaker 2>there to provide an independent opinion based on your expertise,

306
00:16:49.799 --> 00:16:52.120
<v Speaker 2>but you have to be acutely aware that all your work,

307
00:16:52.240 --> 00:16:55.639
<v Speaker 2>all your communications related to the case are discoverable. That

308
00:16:55.679 --> 00:16:58.519
<v Speaker 2>means any document, any email, even a quick note or

309
00:16:58.559 --> 00:17:01.039
<v Speaker 2>a doodle you made it could become work product and

310
00:17:01.120 --> 00:17:04.160
<v Speaker 2>be subject to questioning by the other side. So objectivity

311
00:17:04.279 --> 00:17:06.200
<v Speaker 2>being impartial is just paramount.

312
00:17:06.480 --> 00:17:10.160
<v Speaker 1>Ultimately, the ramifications of these digital crimes, whether it's IP theft,

313
00:17:10.519 --> 00:17:14.640
<v Speaker 1>employee misconduct, or huge fraud schemes, they have immense impacts

314
00:17:14.720 --> 00:17:19.480
<v Speaker 1>right on companies, on shareholders, on individuals, this deep dive

315
00:17:19.519 --> 00:17:23.319
<v Speaker 1>has really shown us the essential, often painstaking role computer

316
00:17:23.400 --> 00:17:27.400
<v Speaker 1>forensics plays in uncovering these hidden truths. So we've journeyed

317
00:17:27.400 --> 00:17:30.279
<v Speaker 1>through this intricate world of computer forensics, haven't we, From

318
00:17:30.279 --> 00:17:32.200
<v Speaker 1>the hidden corners of your hard drive all the way

319
00:17:32.240 --> 00:17:36.039
<v Speaker 1>to the complex web of organized cybercrime. We've seen how

320
00:17:36.079 --> 00:17:40.839
<v Speaker 1>dedicated experts, using precise methods and highly specialized tools can

321
00:17:40.920 --> 00:17:44.440
<v Speaker 1>uncover those digital footprints that expose deception and bring clarity

322
00:17:44.440 --> 00:17:45.960
<v Speaker 1>to really complex situations.

323
00:17:46.359 --> 00:17:48.279
<v Speaker 2>And if we connect this to the bigger picture, I

324
00:17:48.319 --> 00:17:51.400
<v Speaker 2>think it means that even in our increasingly digital world,

325
00:17:51.680 --> 00:17:55.400
<v Speaker 2>accountability for actions, whether they're accidental or intentional, it leaves

326
00:17:55.440 --> 00:17:57.880
<v Speaker 2>a tangible trail. It really does. The field of computer

327
00:17:57.920 --> 00:18:01.279
<v Speaker 2>forensics provides the critical techniques to follow that trail, piece

328
00:18:01.279 --> 00:18:04.680
<v Speaker 2>by piece, regardless of how cleverly someone tries to hide it.

329
00:18:04.920 --> 00:18:07.000
<v Speaker 1>So what stands out to you from this deep dive?

330
00:18:07.319 --> 00:18:10.079
<v Speaker 1>For me, it's a stark reminder that every digital interaction,

331
00:18:10.160 --> 00:18:13.519
<v Speaker 1>every file created or deleted, every email sent, it leads

332
00:18:13.519 --> 00:18:16.359
<v Speaker 1>a unique signature. The question isn't just if the evidence

333
00:18:16.400 --> 00:18:19.359
<v Speaker 1>exists anymore, it's usually who has the expertise and the

334
00:18:19.440 --> 00:18:21.079
<v Speaker 1>right tool to actually find it,