WEBVTT 1 00:00:00.160 --> 00:00:04.120 Welcome curious minds to another deep dive. Today, we'm marking 2 00:00:04.120 --> 00:00:06.320 on a journey into a field that sounds straight out 3 00:00:06.320 --> 00:00:10.880 of a Hollywood thriller, but is far more intricate, vital, 4 00:00:11.199 --> 00:00:15.720 frankly fascinating in reality. We're talking about computer forensics and 5 00:00:15.919 --> 00:00:20.359 incident response, the meticulous art and well the urgent science 6 00:00:20.399 --> 00:00:21.760 of digital detective work. 7 00:00:21.960 --> 00:00:25.839 That's right. And while many might, you know, associate forensics 8 00:00:25.839 --> 00:00:29.120 purely with the FBI or big government agencies, the reality 9 00:00:29.199 --> 00:00:33.359 is digital evidence is now absolutely central. Just so much 10 00:00:33.679 --> 00:00:37.159 there's so much crime, so many security incidents. Organizations of 11 00:00:37.200 --> 00:00:40.799 all sizes, big corporation, small businesses, they desperately need to 12 00:00:40.840 --> 00:00:44.240 understand exactly what happened on their systems after a breach 13 00:00:44.320 --> 00:00:48.119 or you know, some kind of anomaly. Okay, So our 14 00:00:48.159 --> 00:00:50.200 mission in this deep dive is really to equip you 15 00:00:50.240 --> 00:00:53.280 with the foundational understanding of this critical field. Yeah, we'll 16 00:00:53.320 --> 00:00:57.280 be revealing some surprising facts, crucial techniques that these digital 17 00:00:57.320 --> 00:00:59.840 sleuths use every day. And we're doing this to the 18 00:01:00.079 --> 00:01:04.159 ends of Computer Forensics Incident Response Essentials by Warren G. 19 00:01:04.319 --> 00:01:07.400 Cruz and JG. Heiser, a classic tech it really is. 20 00:01:07.439 --> 00:01:10.000 It's from two thousand and two, but honestly, it still 21 00:01:10.040 --> 00:01:12.000 offers incredibly relevant insights today. 22 00:01:12.120 --> 00:01:15.239 Okay, so we're dealing with a digital crime scene, but 23 00:01:16.200 --> 00:01:19.400 unlike a physical one where you might see obvious signs, 24 00:01:19.439 --> 00:01:23.840 you know, fingerprints, physical evidence. What are the fundamental challenges 25 00:01:23.879 --> 00:01:27.680 of even seeing a digital incident? Where do you even begin? 26 00:01:28.200 --> 00:01:30.760 That's a really good place to start, because the challenges 27 00:01:30.799 --> 00:01:35.599 are they're profound. At its heart, computer forensics involves a 28 00:01:35.680 --> 00:01:41.480 very structured process. You've got preservation, identification, extraction, documentation, and 29 00:01:41.560 --> 00:01:43.079 interpretation of computer data. 30 00:01:43.200 --> 00:01:44.359 Okay, break that down a bit. 31 00:01:44.519 --> 00:01:48.200 Sure. Think of it like this. Securing the scene that's preservation. 32 00:01:48.640 --> 00:01:52.680 Figuring out what's actually relevant data that's identification, Getting that 33 00:01:52.760 --> 00:01:57.120 data out safely that's extraction. Writing down Everything you do 34 00:01:57.280 --> 00:02:01.239 meticulously is documentation, criticalsolute, and then making sense of it 35 00:02:01.239 --> 00:02:04.760 all is interpretation. Every single step is vital to make 36 00:02:04.799 --> 00:02:07.359 sure the evidence actually holds up, you know, in court 37 00:02:07.519 --> 00:02:08.520 or for internal reviews. 38 00:02:08.560 --> 00:02:10.879 And the biggest challenge you mentioned volatility. 39 00:02:11.080 --> 00:02:14.120 Digital data is just incredibly volatile. It can change or 40 00:02:14.199 --> 00:02:16.919 just vanish in seconds. Even looking at it the wrong 41 00:02:16.960 --> 00:02:18.280 way can sometimes alter it. 42 00:02:18.360 --> 00:02:22.280 Wow, that volatility sounds like a real tightrope walk. The 43 00:02:22.439 --> 00:02:26.560 book highlights this common misunderstanding that really stuck with me. 44 00:02:26.759 --> 00:02:27.159 What's up? 45 00:02:27.479 --> 00:02:31.280 Nobody expects a prosecutor to like rebuild times square in 46 00:02:31.319 --> 00:02:34.520 a courtroom after a physical crime. Impossible, But in a 47 00:02:34.560 --> 00:02:39.280 computer crime case, there's often this almost impossible expectation to 48 00:02:39.439 --> 00:02:43.439 recreate the entire system exactly as it was. What's behind 49 00:02:43.479 --> 00:02:45.199 that huge gap in understanding? 50 00:02:45.240 --> 00:02:49.000 Precisely? And it really stems from a general unfamiliarity not 51 00:02:49.080 --> 00:02:51.319 just with the nitty gritty of digital forensics, but often 52 00:02:51.360 --> 00:02:54.680 with computers themselves, especially you know, in legal circles or 53 00:02:54.719 --> 00:02:56.159 among non technical managers. 54 00:02:56.240 --> 00:02:56.439 Yeah. 55 00:02:56.479 --> 00:02:58.879 I can see that this lack of understanding makes the 56 00:02:58.879 --> 00:03:02.759 field uniquelyallenging, and it raises a key question, why is 57 00:03:02.759 --> 00:03:07.400 this expertise so incredibly in demand now, maybe even more 58 00:03:07.479 --> 00:03:09.240 than back in two thousand and two when the book 59 00:03:09.280 --> 00:03:09.599 came out. 60 00:03:09.639 --> 00:03:10.439 Billions lost? 61 00:03:10.520 --> 00:03:15.080 Right, billions, yes, lost annually to cybercrime, and computers are 62 00:03:15.120 --> 00:03:18.400 just central to everything now, fraud, ip, theft, you name it. 63 00:03:18.639 --> 00:03:20.680 So it's not just law enforcement, no. 64 00:03:20.400 --> 00:03:24.319 No, law enforcement is crucial obviously, but major corporations they 65 00:03:24.360 --> 00:03:29.360 also need really sophisticated internal security teams. The thing is 66 00:03:29.560 --> 00:03:33.439 these corporate security pros often really experienced with physical theft. 67 00:03:33.960 --> 00:03:37.919 They're frequently well ill prepared for the nuances of computer crime. 68 00:03:38.159 --> 00:03:40.199 Ah different skill set. 69 00:03:40.159 --> 00:03:44.000 Totally different. The book really speaks to this urgent need 70 00:03:44.080 --> 00:03:47.639 for system admin's corporate security staff to become these sort 71 00:03:47.639 --> 00:03:48.599 of digital sleuths. 72 00:03:48.879 --> 00:03:50.680 And it's always changing constantly. 73 00:03:50.800 --> 00:03:53.759 That's what's fascinating. The legal side, the regulatory environment, the 74 00:03:53.800 --> 00:03:57.639 crime methods themselves, the investigation techniques, all in constant flux. 75 00:03:57.719 --> 00:04:00.120 Is definitely not a feel for the complacent. It demands 76 00:04:00.159 --> 00:04:03.879 continuous learning, flexibility, and just a really deep grasp of technology. 77 00:04:04.000 --> 00:04:08.240 Okay, so, given this dynamic, fast changing environment and the 78 00:04:08.439 --> 00:04:12.639 extreme volatility you mentioned, it sounds like digital forensics needs 79 00:04:12.639 --> 00:04:16.959 some almost sacred rules. What's the absolute number one, non 80 00:04:17.040 --> 00:04:21.079 negotiable principle for an investigator stepping into this delicate digital 81 00:04:21.120 --> 00:04:21.839 crime scene. 82 00:04:22.079 --> 00:04:25.839 The authors are absolutely crystal clear on this, do no harm. 83 00:04:25.680 --> 00:04:26.439 Do no harm. 84 00:04:26.519 --> 00:04:32.079 You should never ever directly examine the original storage media, 85 00:04:32.240 --> 00:04:35.240 the original hard drive, the original USB stick if you 86 00:04:35.279 --> 00:04:36.480 could possibly avoid it. 87 00:04:36.639 --> 00:04:38.000 Why is that so fundamental? 88 00:04:38.279 --> 00:04:42.160 The entire process hinges on maintaining the integrity of that 89 00:04:42.240 --> 00:04:46.199 original evidence. Think about smudging a fingerprint or altering a 90 00:04:46.199 --> 00:04:48.560 physical piece of evidence at a crime scene destroys the 91 00:04:48.600 --> 00:04:52.040 case exactly. The digital equivalent is actually far easier to 92 00:04:52.040 --> 00:04:54.399 do by accident. Just booting up a machine can change 93 00:04:54.480 --> 00:04:55.360 hundreds of files. 94 00:04:55.480 --> 00:04:57.959 So the ideal is always work with copies. But what if? 95 00:04:58.480 --> 00:05:01.160 What if the situation doesn't allow for that You mentioned 96 00:05:01.240 --> 00:05:04.199 volatility earlier. Give me a real world example where an 97 00:05:04.199 --> 00:05:06.439 investigator might have to make a tough call. Maybe bend 98 00:05:06.519 --> 00:05:08.240 that do no harm rule slightly. 99 00:05:08.439 --> 00:05:12.399 That's where the real world complexity comes in. For instance, 100 00:05:12.600 --> 00:05:16.439 imagine an active Internet intrusion, a hack happening right now, Okay, 101 00:05:16.839 --> 00:05:20.920 crucial evidence. Maybe the attacker's commands might only exist in 102 00:05:20.959 --> 00:05:24.920 the computer's RAM. It's volatile temporary memory stuff. 103 00:05:24.720 --> 00:05:26.279 That disappears when you turn it off. 104 00:05:26.399 --> 00:05:29.160 Precisely turn off the computer and poof that evidence is 105 00:05:29.199 --> 00:05:29.759 gone forever. 106 00:05:29.959 --> 00:05:30.319 Yeah. 107 00:05:30.399 --> 00:05:33.360 The ideal scenario would be to freeze the system's state, 108 00:05:33.800 --> 00:05:36.600 maybe do a live acquisition of the RAM content. But 109 00:05:36.920 --> 00:05:41.600 politically or for business reasons, management often refuses. They won't 110 00:05:41.600 --> 00:05:44.240 allow the shutdown of a critical production server even if 111 00:05:44.279 --> 00:05:47.319 it's compromised. Wow, so this is where an investigator has 112 00:05:47.319 --> 00:05:51.079 to make incredibly tough calls. You're weighing the potential loss 113 00:05:51.120 --> 00:05:55.079 of vital evidence against business continuity, and the absolute key 114 00:05:55.160 --> 00:05:59.920 in those situations. Document everything, every decision, every action won 115 00:06:00.160 --> 00:06:02.040 you did it meticulously. 116 00:06:02.360 --> 00:06:07.680 Speaking of meticulousness and documentation, the book gives some really concrete, 117 00:06:08.160 --> 00:06:10.959 almost step by step advice for actually safe keeping the 118 00:06:11.000 --> 00:06:14.240 evidence once you have it. Beyond do no harm, what 119 00:06:14.319 --> 00:06:16.800 are the practical things an investigator needs to do right 120 00:06:16.800 --> 00:06:17.560 there at the scene. 121 00:06:17.759 --> 00:06:20.240 Yeah, it's all about comprehensive recording from the get go. 122 00:06:21.160 --> 00:06:24.639 Every single item related to the incident must be identified 123 00:06:24.639 --> 00:06:25.199 and labeled. 124 00:06:25.279 --> 00:06:26.839 Not just the computer itself, Oh. 125 00:06:26.720 --> 00:06:29.879 No, everything the main computer, every piece of media, floppy 126 00:06:29.879 --> 00:06:33.759 disks back then, USB drives now, every cable you unplug, 127 00:06:34.000 --> 00:06:35.680 every peripheral attached. 128 00:06:35.240 --> 00:06:36.279 And what goes on the label. 129 00:06:36.399 --> 00:06:40.199 The label needs specific things the case number, a brief 130 00:06:40.240 --> 00:06:43.399 description of the item, the investigator signature, and the exact 131 00:06:43.480 --> 00:06:47.639 date and time of collection, very precise and critically. You 132 00:06:47.720 --> 00:06:51.240 need to photograph the crime scene itself. Start wide, show 133 00:06:51.279 --> 00:06:54.279 the whole area, then gradually zoom in on the suspect computer. 134 00:06:55.079 --> 00:06:57.519 Document it stated exactly as you found it. What's on 135 00:06:57.560 --> 00:06:59.519 the screen? Are there any error messages? Is it on 136 00:06:59.639 --> 00:07:01.800 or off? This visually preserves the. 137 00:07:01.720 --> 00:07:05.160 Context right, that makes sense, and this detailed process, the 138 00:07:05.240 --> 00:07:09.319 labeling the photos, it leads directly to this absolutely critical 139 00:07:09.319 --> 00:07:13.279 concept you hear about the chain of custody. Why is 140 00:07:13.319 --> 00:07:16.879 this so vital in digital forensics? What happens if that 141 00:07:17.000 --> 00:07:17.800 chain is broken? 142 00:07:17.920 --> 00:07:21.720 The chain of custody is well, it's a paramount. It's 143 00:07:21.800 --> 00:07:24.519 the documented trail that proves the evidence you collected is 144 00:07:24.560 --> 00:07:27.839 the exact same evidence being presented later, maybe in court, 145 00:07:28.240 --> 00:07:31.480 and crucially that it hasn't been tampered with, altered or 146 00:07:31.480 --> 00:07:33.560 swapped out along the way. And if it's not perfect, 147 00:07:33.680 --> 00:07:37.360 the consequences can be dire. The book gives this powerful 148 00:07:37.399 --> 00:07:41.000 real world example from the CD Universe website intrusion case. 149 00:07:41.199 --> 00:07:42.000 What happened there? 150 00:07:42.120 --> 00:07:45.160 Apparently the evidence was reportedly tainted simply because the chain 151 00:07:45.199 --> 00:07:48.920 of custody was not established properly. Someone involved was even 152 00:07:49.000 --> 00:07:51.560 quoted saying it's like the OJ Simpson case. The evidence 153 00:07:51.639 --> 00:07:56.240 is tainted oof high stakes, scremely high stakes. So to 154 00:07:56.240 --> 00:08:00.040 prevent this, evidence must be stored in sealed containers I 155 00:08:00.040 --> 00:08:03.000 think pamper evident bags or boxes in the secure area 156 00:08:03.199 --> 00:08:07.639 with strictly limited access ideally you have one primary custodiane 157 00:08:07.680 --> 00:08:10.839 responsible for it and maybe one alternate. Every single time 158 00:08:10.879 --> 00:08:14.639 that evidence moves or is accessed, it must be logged. Who, what, when? Why? 159 00:08:14.800 --> 00:08:18.519 Okay, So you've meticulously secured the physical items, the hard drive, 160 00:08:18.560 --> 00:08:21.319 the laptop, whatever it is, and you've established that rock 161 00:08:21.360 --> 00:08:24.079 solid chain of custody log how do you then prove 162 00:08:24.120 --> 00:08:26.639 that the digital data itself hasn't been messed with, either 163 00:08:26.720 --> 00:08:30.279 by accident or intentionally. This sounds like it needs some 164 00:08:30.399 --> 00:08:33.679 serious digital wizardry. What's the main tool the authors talk about? 165 00:08:33.840 --> 00:08:38.399 This is where cryptographic hash values become absolutely essential. Hashes Okay, 166 00:08:38.440 --> 00:08:41.240 think of them as an electronic fingerprint for data. Algorithms 167 00:08:41.240 --> 00:08:44.200 like MB five though we less used now, and more 168 00:08:44.200 --> 00:08:48.360 commonly SAHA. Like SAHA two fifty six, they produce a unique, 169 00:08:48.360 --> 00:08:50.720 fixed size string of characters for any given piece of 170 00:08:50.799 --> 00:08:53.320 data you need. Cow if even one single bit a 171 00:08:53.440 --> 00:08:56.159 zero or a one changes in that data, the resulting 172 00:08:56.159 --> 00:09:00.360 hash value will be completely different, dramatically different. So calculate 173 00:09:00.440 --> 00:09:03.759 this hash value when you first collect the data, ideally 174 00:09:03.759 --> 00:09:06.039 from the original media, before you even make a copy. 175 00:09:06.759 --> 00:09:09.960 Then any copies you make for your examination, you hash 176 00:09:10.039 --> 00:09:13.720 those two By comparing the hash of the copy to 177 00:09:13.759 --> 00:09:16.840 the hack of the original, you can mathematically prove they 178 00:09:16.840 --> 00:09:20.320 are identical. That's clever, it is, and it's worth noting. 179 00:09:20.519 --> 00:09:22.360 Even back in two thousand and two, the authors were 180 00:09:22.360 --> 00:09:26.279 really prescient. They anticipated that MB five, which was common then, 181 00:09:26.600 --> 00:09:28.799 would likely become obsolete in a few years. 182 00:09:28.840 --> 00:09:29.399 And it has. 183 00:09:29.559 --> 00:09:32.600 Oh yeah, it's considered broken now for forensic integrity because 184 00:09:32.639 --> 00:09:35.799 of something called collisions, where different data can produce the 185 00:09:35.799 --> 00:09:39.600 same hash. So now we use stronger algorithms like SAJA 186 00:09:39.600 --> 00:09:40.360 two fifty six. 187 00:09:40.600 --> 00:09:44.000 That foresight itself is pretty insightful about the field, isn't it. 188 00:09:44.000 --> 00:09:47.480 It absolutely is. It underscores that what's considered forensically sound 189 00:09:47.519 --> 00:09:51.480 today might not be tomorrow. Investigators have to constantly validate 190 00:09:51.519 --> 00:09:54.759 their tools and methods adapt to new cryptographic standards. It 191 00:09:54.799 --> 00:09:58.440 really demands this continuous skepticism, even about your own tools. 192 00:09:58.720 --> 00:10:01.720 Okay, so you've got your perfect copy, it's been hashed, 193 00:10:01.879 --> 00:10:04.639 the original is safely locked away. You're moving into the 194 00:10:04.759 --> 00:10:08.000 analysis phase. What are the key things to keep in 195 00:10:08.039 --> 00:10:08.559 mind there? 196 00:10:09.039 --> 00:10:11.600 Well, first, the analysis phase is where you actively dig in. 197 00:10:11.679 --> 00:10:15.120 You start looking for evidence, but critically, always with that 198 00:10:15.279 --> 00:10:18.600 verified digital copy. Never the original. 199 00:10:18.279 --> 00:10:21.759 Right, protect the original at all costs always, and you 200 00:10:21.799 --> 00:10:24.679 should always make a hash maybe MD five or SAHA 201 00:10:24.759 --> 00:10:27.440 of any newly created drive images. 202 00:10:27.039 --> 00:10:29.840 Before you start analyzing them. It's another layer of integrity 203 00:10:29.919 --> 00:10:31.159 checking throughout your process. 204 00:10:31.399 --> 00:10:34.240 Makes sense? Any other interesting tips from the book about 205 00:10:34.279 --> 00:10:35.279 the analysis itself. 206 00:10:35.559 --> 00:10:40.360 Yeah, there's a fascinating psychological or maybe legal insight they offer. 207 00:10:40.639 --> 00:10:44.399 They actually warn against using rigid checklists during forensic analysis. 208 00:10:44.519 --> 00:10:46.960 Really, why not checklists sound like a good way to 209 00:10:46.960 --> 00:10:48.159 be thorough you'd. 210 00:10:47.919 --> 00:10:51.240 Think so, right, But imagine being cross examined in court, 211 00:10:51.600 --> 00:10:54.440 a lawyer asks why didn't you check box number seven 212 00:10:54.519 --> 00:10:57.919 on your standard procedure checklist? Even if box seven was 213 00:10:58.080 --> 00:11:00.000 totally irrelevant to this specific investigation. 214 00:11:00.559 --> 00:11:02.480 It creates an opening, exactly. 215 00:11:02.639 --> 00:11:05.480 It gives the other side an easy question you don't 216 00:11:05.480 --> 00:11:10.240 want to answer. So instead they recommend using cheat sheets, guides, reminders, 217 00:11:10.480 --> 00:11:14.559 but without checkboxes. It's about maintaining that investigative rigor without 218 00:11:14.639 --> 00:11:18.960 creating easily exploitable gaps for opposing council. It really shows 219 00:11:19.000 --> 00:11:21.360 the legal tightrope these professionals walk. 220 00:11:21.480 --> 00:11:24.399 That's a subtle but really important point. Okay, so you've 221 00:11:24.440 --> 00:11:27.399 got your pristine digital copy you've hashed it, you've got 222 00:11:27.440 --> 00:11:31.159 your cheat sheet ready, you're ready to analyze. But what 223 00:11:31.240 --> 00:11:34.000 if the attackers were really clever? What if they didn't 224 00:11:34.000 --> 00:11:36.000 want you to find anything? It sounds like this is 225 00:11:36.039 --> 00:11:38.320 where the game of digital hide and seek truly begins. 226 00:11:38.399 --> 00:11:41.399 That's precisely it. A core principle, really, a mindset in 227 00:11:41.440 --> 00:11:45.919 forensics is you must always assume that any system you're 228 00:11:45.960 --> 00:11:48.919 examining might contain hidden data. Don't just look at the 229 00:11:48.919 --> 00:11:49.720 obvious files. 230 00:11:49.799 --> 00:11:51.360 So where do people hide things? 231 00:11:51.679 --> 00:11:53.840 Well? A prime example the book talks about is slack 232 00:11:53.879 --> 00:11:57.399 space slackspear. Yeah, it's that leftover, unused portion of a 233 00:11:57.399 --> 00:11:59.799 storage cluster and a hard drive. When you save a 234 00:11:59.799 --> 00:12:02.840 five file, the operating system allocates space in fixed chunks 235 00:12:02.840 --> 00:12:06.200 called clusters. If your file doesn't perfectly fill up the 236 00:12:06.279 --> 00:12:10.120 last cluster, there's leftover space exactly, and that space often 237 00:12:10.120 --> 00:12:13.600 contains fragments of previously deleted files or other orphan data 238 00:12:13.840 --> 00:12:17.080 that the OS just hasn't overwritten yet. It just sits there. Wow, 239 00:12:17.120 --> 00:12:21.120 even applications could contribute. The book mentions word ninety seven 240 00:12:21.240 --> 00:12:25.639 was notorious for vacuuming up stray data from memory into 241 00:12:25.679 --> 00:12:28.600 dot doc file data. You couldn't see inside word itself. 242 00:12:28.759 --> 00:12:30.639 But if you looked at the raw file. 243 00:12:30.759 --> 00:12:32.480 Right, if you viewed it with a hex editor, a 244 00:12:32.519 --> 00:12:35.200 tool that shows the raw bytes of a file, you 245 00:12:35.279 --> 00:12:36.879 might find interesting snipvets. 246 00:12:37.159 --> 00:12:39.759 So data just lurking in plain sight, sort of if 247 00:12:39.799 --> 00:12:42.240 you know where to look. But the book reveals even 248 00:12:42.320 --> 00:12:45.679 more sophisticated ways data can be tucked away right, not 249 00:12:45.720 --> 00:12:48.639 just in unused corners, but like within the file system 250 00:12:48.720 --> 00:12:51.200 structure itself, totally hidden from normal view. 251 00:12:51.360 --> 00:12:54.519 Absolutely, and this next one is particularly insidious, especially for 252 00:12:54.600 --> 00:12:58.679 Windows users. NTFS streams or alternate data. 253 00:12:58.519 --> 00:13:01.039 Streams NTFS streams those It's. 254 00:13:00.879 --> 00:13:04.279 A capability built into the NTFS filesystem, which is standard 255 00:13:04.279 --> 00:13:07.120 on most Windows machines, but basically allows you to attach 256 00:13:07.399 --> 00:13:10.639 arbitrary data, even entire programs, to an existing. 257 00:13:10.320 --> 00:13:13.000 File attached to a file not in it, kind. 258 00:13:12.840 --> 00:13:16.480 Of like a hidden sidecar. The amazing and scary thing 259 00:13:16.919 --> 00:13:20.840 is that this attached data is completely invisible to normal 260 00:13:20.919 --> 00:13:23.480 tools like Windows Explore or if you just list files 261 00:13:23.480 --> 00:13:26.720 in the command prompt no way. Yes. The book shows 262 00:13:26.759 --> 00:13:30.440 examples like creating myfile dot txt dot hidden stuff, where 263 00:13:30.679 --> 00:13:33.240 dot hidden stuff is the stream name you could put 264 00:13:33.240 --> 00:13:36.000 secret notes in there a directory listing, or they even 265 00:13:36.039 --> 00:13:39.840 show hiding and then executing notepad dot ex from within 266 00:13:39.879 --> 00:13:42.600 a stream attached to a seemingly harmless text file. 267 00:13:42.919 --> 00:13:45.279 That's crazy. How do you even find those? 268 00:13:45.440 --> 00:13:48.320 You need specialized forensic tools or even some command line 269 00:13:48.399 --> 00:13:51.360 utilities like der R or dedicated tools like s FIN 270 00:13:51.720 --> 00:13:54.919 that are designed specifically to look for these alternate data streams. 271 00:13:54.960 --> 00:13:57.000 They would just show up as separate files. It's a 272 00:13:57.039 --> 00:13:59.799 classic example of attackers using a legitimate system feature from 273 00:13:59.799 --> 00:14:00.679 all purposes. 274 00:14:00.799 --> 00:14:03.840 That's incredible, completely hidden from plain sight. How often do 275 00:14:03.919 --> 00:14:06.919 investigators actually run into this in real cases? Is it common? 276 00:14:07.279 --> 00:14:10.720 It's definitely something experienced investigators check for. Maybe not the 277 00:14:10.720 --> 00:14:14.120 first place malware always hindes, but it's common enough that 278 00:14:14.200 --> 00:14:17.519 a thorough examination has to include checking for ADSs. It 279 00:14:17.639 --> 00:14:20.399 just shows attackers will use any means available within the 280 00:14:20.440 --> 00:14:22.480 OS itself to stay hidden, right. 281 00:14:23.200 --> 00:14:28.240 Okay, So, moving beyond hiding data locally, when you're tracking offenders, 282 00:14:28.799 --> 00:14:32.120 email often comes up, right. It seems like a gold mine. 283 00:14:32.159 --> 00:14:34.360 It can be a rich source, yes, but it can 284 00:14:34.360 --> 00:14:37.759 also be a minefield of deception. How so, well, the 285 00:14:37.799 --> 00:14:40.919 book demonstrates how incredibly easy it is to fake the 286 00:14:41.000 --> 00:14:43.759 frum address in an Internet email message. 287 00:14:43.799 --> 00:14:45.320 You mean, make it look like it came from someone 288 00:14:45.320 --> 00:14:46.240 else exactly. 289 00:14:46.399 --> 00:14:49.039 You can manually connect to an email server using something 290 00:14:49.039 --> 00:14:51.600 basic like Telnet on port twenty five and just type 291 00:14:51.600 --> 00:14:53.559 the commands to send an email. You can put pretty 292 00:14:53.639 --> 00:14:55.159 much whatever you want in the mail. 293 00:14:55.200 --> 00:14:57.240 From part Why is that possible seems like a huge 294 00:14:57.279 --> 00:14:57.960 security hole. 295 00:14:58.120 --> 00:15:03.120 It's because the core email protocols basically has no strong 296 00:15:03.159 --> 00:15:06.519 authentication for the sender built in. It kind of operates 297 00:15:06.559 --> 00:15:07.039 on trust. 298 00:15:07.600 --> 00:15:09.200 So how do you trace a fake email? Then? 299 00:15:09.559 --> 00:15:13.440 By carefully deciphering the email headers, those blocks of text 300 00:15:13.519 --> 00:15:16.000 at the top of an email that most people ignore. Yeah, 301 00:15:16.039 --> 00:15:19.879 the gibberish, it's not gibberish. It contains routing information showing 302 00:15:19.879 --> 00:15:23.360 the servers the email passed through. By analyzing those you 303 00:15:23.360 --> 00:15:26.679 can often trace the real originating IP address, especially if 304 00:15:26.679 --> 00:15:29.080 it came from a big free email service like Gmail 305 00:15:29.159 --> 00:15:32.320 or Hotmail. Though actually getting the user behind that IP 306 00:15:33.159 --> 00:15:36.759 usually requires a subpoena to the provider for their logs, so. 307 00:15:36.679 --> 00:15:39.399 It's a constant game of cat and mouse digital spy 308 00:15:39.559 --> 00:15:43.240 versus spy. The book even gives tipsy mentioned on how 309 00:15:43.320 --> 00:15:46.159 investigators can hide their tracks when they're tracking someone. What's 310 00:15:46.200 --> 00:15:46.879 the advice there? 311 00:15:49.039 --> 00:15:50.919 Don't want to tip off the suspect, right right. 312 00:15:50.840 --> 00:15:54.399 It's all about operational security for the investigator or OPSEC. 313 00:15:55.039 --> 00:15:57.639 When you're using network tools like ping to see if 314 00:15:57.639 --> 00:16:01.240 a suspects machine is online, or trace route to map 315 00:16:01.279 --> 00:16:03.519 the path to it, don't do it from your main 316 00:16:03.559 --> 00:16:06.960 corporate network. Perform those scans from a system that's not 317 00:16:07.200 --> 00:16:10.919 obviously linked to your organization. Maybe use a temporary anonymous 318 00:16:10.960 --> 00:16:14.279 dial up ISP account or some other non attributable network. 319 00:16:14.519 --> 00:16:16.919 The goal is to make sure the suspect doesn't suddenly 320 00:16:16.960 --> 00:16:20.679 see corporate probing back, doesn't see connection attempts from your 321 00:16:20.679 --> 00:16:24.639 company's IP range, and realize they're being watched. That could 322 00:16:24.679 --> 00:16:27.440 spook them into destroying evidence or going completely dark. 323 00:16:28.000 --> 00:16:32.279 Makes sense, be the ghost okay. And for the really determined, 324 00:16:32.360 --> 00:16:37.200 really sophisticated adversaries, the authors introduce something even more sinister, 325 00:16:38.039 --> 00:16:41.440 root kits. What exactly are these and why are they 326 00:16:41.440 --> 00:16:42.679 considered so dangerous? 327 00:16:43.120 --> 00:16:47.399 Root kits are well, they're essentially suites of tools toolkits 328 00:16:47.440 --> 00:16:50.320 that attackers deploy after they've already gained initial access to 329 00:16:50.360 --> 00:16:52.799 a system. They're not usually the entry methods. 330 00:16:52.840 --> 00:16:54.000 So what do they do once they're in? 331 00:16:54.240 --> 00:16:57.559 Their main purpose is to escalate privileges, get admin rights, 332 00:16:57.799 --> 00:17:00.639 hide the attackers' activities, their files, the running processes, their 333 00:17:00.679 --> 00:17:04.279 network connections, and gather more information, maybe installed back doors. 334 00:17:04.400 --> 00:17:07.319 It lets them maintain persistent control over the system. 335 00:17:07.119 --> 00:17:09.960 Undetected, hiding their trackstep inside. 336 00:17:09.480 --> 00:17:12.519 Exactly Unix rootkits have been around for years, and the 337 00:17:12.559 --> 00:17:14.640 book noted back in two thousand and two that Windows 338 00:17:14.640 --> 00:17:18.240 and T versions were emerging. What makes them particularly dangerous 339 00:17:18.279 --> 00:17:19.599 is when you get a kernel root kit. 340 00:17:19.880 --> 00:17:22.000 Kernel that sounds bad. 341 00:17:21.759 --> 00:17:24.880 It is. It means the root kit embeds itself deep 342 00:17:24.960 --> 00:17:28.559 within the operating system's core. The kernel itself the very 343 00:17:28.640 --> 00:17:32.480 heart of how the system functions, and a system compromised 344 00:17:32.519 --> 00:17:34.920 with a well written kernel root kit could be impossible 345 00:17:34.920 --> 00:17:38.559 to detect from within the hacked system itself. Why impossible 346 00:17:38.799 --> 00:17:42.160 because the rootkit subverts the very tools an administrator would use. 347 00:17:42.799 --> 00:17:46.400 If you run taskless to see processes, the rootkit intercepts 348 00:17:46.400 --> 00:17:49.599 that command and filters out its own malicious processes from 349 00:17:49.599 --> 00:17:52.920 the list it lies to the administrator about what's actually running. 350 00:17:53.359 --> 00:17:55.720 WHOA, So the system itself can't be trusted. 351 00:17:55.839 --> 00:17:58.720 Correct You often need external tools like booting from a 352 00:17:58.759 --> 00:18:02.000 trusted forensic CD or analyzing the hard drive offline to 353 00:18:02.079 --> 00:18:05.240 even stand a chance of detecting a sophisticated Colonel rootkit. 354 00:18:05.400 --> 00:18:08.960 That's a chilling thought. Okay, So beyond the purely technical, 355 00:18:09.279 --> 00:18:12.079 what does this all mean for the people involved? The 356 00:18:12.160 --> 00:18:15.799 digital evidence is just one piece. There's the human element too. 357 00:18:16.480 --> 00:18:19.680 The book had some fascinating insights on interviewing suspects, didn't 358 00:18:19.680 --> 00:18:20.480 it It did. 359 00:18:20.880 --> 00:18:24.200 It's a great reminder that human psychology remains absolutely critical 360 00:18:24.240 --> 00:18:24.960 in investigations. 361 00:18:25.000 --> 00:18:25.599 What was the tip? 362 00:18:25.839 --> 00:18:29.559 The author suggests that even if you haven't actually recovered definitive, 363 00:18:29.599 --> 00:18:34.240 incriminating evidence yet, just bringing a thick, official looking file 364 00:18:34.319 --> 00:18:38.480 folder into an interview room, yeah, and simply laying your 365 00:18:38.519 --> 00:18:40.680 hand on it while you talk, maybe glancing through it 366 00:18:40.680 --> 00:18:43.480 occasionally like you know something. Yeah, that can sometimes be 367 00:18:43.640 --> 00:18:45.720 enough psychological pressure to get a confession. 368 00:18:45.839 --> 00:18:47.759 Really just a prop folder. 369 00:18:47.960 --> 00:18:50.920 It plays on the suspects fear of what you might 370 00:18:50.960 --> 00:18:54.640 already know, taps into their guilt. It shows the investigator 371 00:18:54.680 --> 00:18:56.880 needs to be part technologist part psychologist. 372 00:18:57.000 --> 00:19:00.680 Absolutely, it seems like a good investigator needs both skill sets. 373 00:19:01.039 --> 00:19:03.759 Any other interesting bits on that human side, or maybe 374 00:19:03.880 --> 00:19:07.799 how these digital investigations ultimately connect with the broader legal system. 375 00:19:07.799 --> 00:19:11.839 Definitely, yeah. Beyond the individual suspect, the whole investigation eventually 376 00:19:11.839 --> 00:19:15.519 interacts with the kerninal justice system. And here time is 377 00:19:15.599 --> 00:19:16.400 absolutely critical. 378 00:19:16.480 --> 00:19:17.599 Why is time so important? 379 00:19:17.799 --> 00:19:20.480 The book really stresses that the longer the delay in 380 00:19:20.519 --> 00:19:23.359 reporting a computer crime, the less likely it is that 381 00:19:23.359 --> 00:19:27.039 a suspect can even be located, let alone successfully prosecuted. 382 00:19:27.640 --> 00:19:30.319 A big reason is simply that computer logs the records 383 00:19:30.640 --> 00:19:34.359 of who did what when don't last forever, they get overwritten. 384 00:19:35.160 --> 00:19:36.880 The trail goes cold fast. 385 00:19:37.160 --> 00:19:40.960 Very fast. And for investigators working inside companies, a key 386 00:19:41.039 --> 00:19:45.440 legal takeaway is the vital importance of having clear, unambiguous 387 00:19:45.480 --> 00:19:49.880 company policies that authorize the company to access company owned equipment. 388 00:19:50.480 --> 00:19:54.359 This provides the legal basis for internal investigations. 389 00:19:53.640 --> 00:19:55.440 Right avoiding legal challenges. 390 00:19:55.119 --> 00:19:58.720 Leter Precisely, the book mentions the Northwest Airlines case where 391 00:19:58.799 --> 00:20:02.119 flight attendants home computer re subpoenaed because they potentially contained 392 00:20:02.160 --> 00:20:05.680 company data relevant to a dispute. It's a stark reminder 393 00:20:05.680 --> 00:20:08.720 of how these legal boundaries were evolving even then, sometimes 394 00:20:08.759 --> 00:20:11.039 extending beyond company hardware and. 395 00:20:11.039 --> 00:20:12.319 The different standards in court. 396 00:20:12.519 --> 00:20:16.920 Yes. The chapter clearly differentiates between criminal court, which requires 397 00:20:17.000 --> 00:20:20.359 proof beyond a reasonable doubt of very high bar, in 398 00:20:20.440 --> 00:20:25.079 civil court, which typically uses the standard of preponderance of 399 00:20:25.119 --> 00:20:27.799 the evidence. Basically, is it more likely than not that 400 00:20:27.839 --> 00:20:31.079 the defendant is responsible? Easier to mean generally yes, Yeah, 401 00:20:31.119 --> 00:20:34.519