WEBVTT 1 00:00:00.080 --> 00:00:05.040 Imagine this scenario, a multi billion dollar fraud scheme right 2 00:00:05.839 --> 00:00:09.240 blown wide open just by a single email or maybe 3 00:00:10.119 --> 00:00:11.039 a Loane thumb drive. 4 00:00:11.199 --> 00:00:14.119 Yeah, or think about a vandal documenting their own crime 5 00:00:14.240 --> 00:00:17.679 on YouTube using their phone, thinking they're completely. 6 00:00:17.239 --> 00:00:20.760 Anonymous, exactly. And this isn't science fiction, is it. It's 7 00:00:20.800 --> 00:00:22.760 the real world of computer forensics. 8 00:00:22.960 --> 00:00:25.600 It really is. And today we're taking a deep dive 9 00:00:25.719 --> 00:00:29.960 into that pretty fascinating world. We're using excerpts from Hacking 10 00:00:30.079 --> 00:00:33.880 Exposed Computer Forensics, second Edition, And you know, the book 11 00:00:33.920 --> 00:00:36.679 itself says this isn't an incident response handbook. It's more 12 00:00:36.719 --> 00:00:40.920 of a guide to understanding how digital evidence really changes investigations. 13 00:00:41.119 --> 00:00:44.039 That's a really important distinction. So our mission for you, 14 00:00:44.159 --> 00:00:47.280 our listener, is to sort of unpack how these forensic 15 00:00:47.359 --> 00:00:52.359 investigators uncover those well invisible digital footprints. 16 00:00:51.840 --> 00:00:55.200 From really complex corporate fraud like that multi billion dollar example, 17 00:00:55.359 --> 00:00:57.840 down to individual misconduct, and. 18 00:00:57.799 --> 00:00:59.640 We'll look at what it takes to make that evidence 19 00:00:59.640 --> 00:01:02.439 actually stand up in court, how the field has evolved, 20 00:01:02.439 --> 00:01:04.200 the tools, the techniques, and. 21 00:01:04.239 --> 00:01:07.920 Really why it's just so vital in today's world, which is, 22 00:01:08.280 --> 00:01:10.519 let's face it, completely driven by information. 23 00:01:10.719 --> 00:01:13.439 Okay, So let's unravel it. Where do we start the evolution? 24 00:01:13.719 --> 00:01:16.519 Maybe, yeah, let's zoom out a bit. Computer forensics has 25 00:01:16.560 --> 00:01:20.760 just fundamentally changed investigations since say two thousand and four, 26 00:01:20.799 --> 00:01:22.879 when the first edition of this book came out. Right 27 00:01:23.159 --> 00:01:27.359 back then, investigators, you know, they spent ages wading through 28 00:01:27.400 --> 00:01:29.000 paper documents. 29 00:01:28.719 --> 00:01:30.319 Mountains of them, I can picture it. 30 00:01:30.439 --> 00:01:33.640 But now electronic evidence it's not just a piece of 31 00:01:33.680 --> 00:01:36.799 the puzzle. It's off in front and center. It's crucial 32 00:01:36.879 --> 00:01:39.840 for figuring out not just what happened, but the intent 33 00:01:40.040 --> 00:01:40.719 behind it all. 34 00:01:40.840 --> 00:01:42.200 Intent, right, that's key. 35 00:01:42.400 --> 00:01:45.239 Think about the huge financial crises like two thousand and eight, 36 00:01:45.280 --> 00:01:49.040 two thousand and nine, subprime mortgages, all that stuff. Digital 37 00:01:49.079 --> 00:01:53.599 forensics was absolutely essential in exposing the fraud underneath it all. 38 00:01:53.680 --> 00:01:55.879 That's a massive shift. And it's not just about the 39 00:01:55.879 --> 00:01:58.680 technology itself, is it. There's a big human element here too. Oh. 40 00:01:58.760 --> 00:02:03.959 Absolutely. The author's Aaron Phillip, John Lovelin, Rudy Peck, Peter Marcatos, 41 00:02:04.000 --> 00:02:07.480 Andrew Rosen, and the technical editor Luis Sharinghausen Junior. They 42 00:02:07.519 --> 00:02:11.680 come from really diverse backgrounds. You've got high tech investigations, 43 00:02:11.800 --> 00:02:15.840 ip theft experts, law enforcement folks from the EPA's Criminal 44 00:02:15.879 --> 00:02:20.479 Investigation Division. Wow, even people from the National Computer Forensics Lab, 45 00:02:21.120 --> 00:02:24.199 Electronic Crimes Team, and commercial litigation. 46 00:02:24.400 --> 00:02:27.759 So it really underscores that blend. You need the technical 47 00:02:27.800 --> 00:02:29.960 skills and the legal know how definitely. 48 00:02:30.280 --> 00:02:32.240 And one thing the book does which is quite clever, 49 00:02:32.360 --> 00:02:35.240 is use these attack icons and countermeasure icons. 50 00:02:35.280 --> 00:02:37.840 Okay, tell me about those. How do they help someone understand? 51 00:02:38.280 --> 00:02:42.560 Well, think of them as like signals for you, the listener. 52 00:02:42.960 --> 00:02:46.159 An attack icon highlights something that could mess up an investigation, 53 00:02:46.439 --> 00:02:50.120 like what, for instance, like an investigator accidentally writing data 54 00:02:50.159 --> 00:02:52.639 onto the original evidence drive while they're trying to copy it. 55 00:02:52.680 --> 00:02:53.879 That's a huge no. 56 00:02:53.680 --> 00:02:56.639 No, right, that would compromise it. So if the attack 57 00:02:56.840 --> 00:02:59.879 icon warns you, what does the countermeasure icon? 58 00:03:00.439 --> 00:03:03.080 The countermeasure shows you exactly what to do to avoid 59 00:03:03.080 --> 00:03:06.639 that problem. So, for that hard drive example, the countermeasure 60 00:03:06.800 --> 00:03:08.560 is correctly hashing the drive. 61 00:03:08.680 --> 00:03:12.000 Hashing like creating a unique digital fingerprint. 62 00:03:11.840 --> 00:03:15.479 Exactly a fingerprint, and then you verify that fingerprint after 63 00:03:15.520 --> 00:03:17.479 you've made the copy of the image. Okay, And the 64 00:03:17.479 --> 00:03:21.759 book rates these risks based on popularity. How often does 65 00:03:21.800 --> 00:03:23.840 this happen? Simplicity? How easy is it to make this 66 00:03:23.879 --> 00:03:27.120 mistake impact, how bad is the damage? And then a 67 00:03:27.159 --> 00:03:28.240 final risk rating. 68 00:03:28.319 --> 00:03:30.879 So it's all about making sure that evidence is, as 69 00:03:30.879 --> 00:03:32.000 you said, unassailable. 70 00:03:32.199 --> 00:03:35.319 Precisely. Unassailable is the word, because when we get to 71 00:03:35.319 --> 00:03:38.520 the Bedrock principles, the core idea is that evidence must 72 00:03:38.599 --> 00:03:42.840 be defensible, it must be unassailable. Why because it's almost 73 00:03:42.879 --> 00:03:44.240 certainly going to end up in court. 74 00:03:44.479 --> 00:03:48.280 Okay, So what are those absolute must do safeguards the 75 00:03:48.360 --> 00:03:49.240 non negotiables. 76 00:03:49.400 --> 00:03:51.599 Well, first and foremost, you've got the chain of custody. 77 00:03:51.919 --> 00:03:55.599 This isn't just paperwork. It's a super meticulous record, right. 78 00:03:55.639 --> 00:03:58.360 It shows exactly who had the evidence, when, what they 79 00:03:58.400 --> 00:04:01.039 did with it, basically proving it hasn't been tampered with. 80 00:04:01.280 --> 00:04:02.560 How do they prove that digitally? 81 00:04:02.840 --> 00:04:06.439 Using those cryptographic hashing functions we mentioned MD five SAHA one, 82 00:04:06.680 --> 00:04:10.599 they create that unique digital fingerprint at key moments. If 83 00:04:10.680 --> 00:04:12.240 even one tiny bit. 84 00:04:12.159 --> 00:04:14.639 Of data changes, the fingerprint changes, the. 85 00:04:14.520 --> 00:04:18.680 Fingerprint changes, proof of tampering or at least proof that 86 00:04:18.759 --> 00:04:19.720 something changed. 87 00:04:20.000 --> 00:04:23.199 Okay, so it's like a digital tamper proof seal, got it? 88 00:04:23.600 --> 00:04:24.560 What else is critical? 89 00:04:24.720 --> 00:04:28.040 Then there's completeness. Investigators have to and the book says 90 00:04:28.040 --> 00:04:31.199 this look in every nook and cranny. 91 00:04:31.040 --> 00:04:32.199 Every nook and cranny. 92 00:04:32.560 --> 00:04:37.040 Why so exhaustive because, as the book puts it, lawyers 93 00:04:37.199 --> 00:04:40.040 hate new evidence popping up unexpectedly in court. 94 00:04:40.199 --> 00:04:41.839 Uh. I can imagine it. 95 00:04:41.800 --> 00:04:45.680 Can completely derail a case. No client wants that kind 96 00:04:45.680 --> 00:04:49.000 of surprise, especially when you know their reputation or even 97 00:04:49.079 --> 00:04:50.199 freedom is on the line. 98 00:04:50.279 --> 00:04:53.920 So meticulousness is key. What about the human factor bias? 99 00:04:53.959 --> 00:04:57.160 Maybe good point that leads to bias awareness. This field 100 00:04:57.160 --> 00:05:01.279 demands full disclosure. Absolute impartiality makes sense. The book even 101 00:05:01.279 --> 00:05:03.519 suggests bringing in a third party firm if there's any 102 00:05:03.560 --> 00:05:06.720 potential conflict of interest, like, uh, maybe the lead investigator 103 00:05:06.720 --> 00:05:08.879 head dinner at the suspects house two years ago. 104 00:05:09.000 --> 00:05:09.920 Yeah, that wouldn't look good. 105 00:05:10.079 --> 00:05:13.160 Any hint of impropriety can just sink the evidence in court. 106 00:05:13.279 --> 00:05:17.519 Okay. So to manage all this complexity, is there like 107 00:05:18.079 --> 00:05:19.240 a standard process? 108 00:05:19.560 --> 00:05:23.600 There is actually the Electronic Discovery Reference Model or EDRM. 109 00:05:23.759 --> 00:05:24.839 It came about in May. 110 00:05:24.639 --> 00:05:26.600 Two thousand and five DRM. Okay. 111 00:05:26.639 --> 00:05:30.639 It basically provides a standard framework brings some order to 112 00:05:30.800 --> 00:05:33.839 analyzing and producing electronic data for legal stuff. 113 00:05:34.040 --> 00:05:35.800 What are the first steps in that model? 114 00:05:35.959 --> 00:05:39.360 The initial steps are crucial first define the scope what 115 00:05:39.399 --> 00:05:43.040 are we looking for? Then identify all the places data 116 00:05:43.160 --> 00:05:47.879 might be PCs, phones, cloud storage, you name it right. 117 00:05:48.000 --> 00:05:51.240 Then you strategize how to preserve that data, lock it 118 00:05:51.319 --> 00:05:54.360 down and critically establish that chain of custody as soon. 119 00:05:54.199 --> 00:05:55.920 As possible, preserve document. 120 00:05:56.319 --> 00:05:59.160 Only after all that groundwork has done, should investigators even 121 00:05:59.199 --> 00:06:03.079 start to preview the data, and only using forensically sound tools, 122 00:06:03.240 --> 00:06:05.399 you know, to make sure they don't accidentally change anything. 123 00:06:05.480 --> 00:06:07.720 Okay, so that's the process Bedrock. Now let's get out 124 00:06:07.720 --> 00:06:10.600 of the digital hood. What are the computers themselves? The 125 00:06:10.639 --> 00:06:11.279 book uses a. 126 00:06:11.279 --> 00:06:16.879 Cool analogy, yeah, the human body analogy. It compares computer modules, biosos, processor, 127 00:06:17.000 --> 00:06:20.240 hard disk to things like the heart, lungs, eyes. Well, 128 00:06:20.279 --> 00:06:23.399 each part does simple tasks, right, but when they work 129 00:06:23.439 --> 00:06:27.319 together they perform incredibly complex functions. Same with the computer, 130 00:06:27.839 --> 00:06:29.680 simple parts, complex results. 131 00:06:29.920 --> 00:06:31.519 That's a great way to think about it. And hard 132 00:06:31.600 --> 00:06:32.879 drives they get special mention. 133 00:06:33.000 --> 00:06:36.120 Oh yeah, marvels of modern engineering. They talk about the 134 00:06:36.160 --> 00:06:39.480 platter spinning and the read write heads flying over them. 135 00:06:39.839 --> 00:06:42.399 The analogy is like a mock one plane just two 136 00:06:42.439 --> 00:06:45.240 feet off the runway. That's how close and fast they operate. 137 00:06:45.480 --> 00:06:48.079 Wow, that's incredible precision. 138 00:06:48.279 --> 00:06:51.800 And for newer systems they mention SaaS drives that serial 139 00:06:51.839 --> 00:06:56.160 attached SCSI. It's an evolution of the older SESI interface, 140 00:06:56.319 --> 00:06:59.639 offering much faster speeds, which is really important when you're 141 00:06:59.639 --> 00:07:01.839 trying to be huge amounts of data quickly. 142 00:07:02.240 --> 00:07:06.759 So modern storage is amazing. Yeah, what about older stuff? 143 00:07:07.000 --> 00:07:09.519 What if the evidence isn't on a super fast SAS drive? 144 00:07:09.600 --> 00:07:10.959 What challenges pop up? Then? 145 00:07:11.759 --> 00:07:14.120 You mean the eight tracks of the computing world. 146 00:07:14.319 --> 00:07:16.519 Floppy disks, floppy discs. I remember those. 147 00:07:16.839 --> 00:07:21.279 They're actually surprisingly tough physically, But the book warns, woe 148 00:07:21.360 --> 00:07:24.000 be the investigator who has to deal with them? Why 149 00:07:24.040 --> 00:07:28.120 is that their formatting methods were often really obscure, poorly documented. 150 00:07:28.199 --> 00:07:30.560 It can be like digital archaeology, just trying to get 151 00:07:30.560 --> 00:07:31.399 the data off. 152 00:07:31.240 --> 00:07:35.439 Them, so like digging up ancient artifacts. Yeah, do investigators 153 00:07:35.480 --> 00:07:37.839 actually run into these much anymore more. 154 00:07:37.720 --> 00:07:41.120 Than you'd think, especially with older systems, maybe long running 155 00:07:41.160 --> 00:07:44.720 fraud cases. And then you have tape backups? Oh yeah, 156 00:07:44.759 --> 00:07:48.040 servers often use tapes right, commonly used for servers, but 157 00:07:48.120 --> 00:07:51.040 extracting evidence from them. The book calls it a dicey 158 00:07:51.120 --> 00:07:54.560 proposition at best. Dicey Yeah, because there's just so much 159 00:07:54.639 --> 00:07:58.879 variety in the hardware the software. You might find date tapes, 160 00:07:59.160 --> 00:08:02.639 dlt L. Each one is its own little puzzle to 161 00:08:02.639 --> 00:08:05.720 figure out, like a nightmare it can be. And then 162 00:08:05.800 --> 00:08:09.439 moving to more modern stuff, you have memory technologies, memory cards, 163 00:08:09.519 --> 00:08:14.480 digital cameras, MP three players, smartphones. They're everywhere exactly and 164 00:08:14.519 --> 00:08:18.079 they are very frequent sources of evidence. The absolute key 165 00:08:18.120 --> 00:08:21.360 principle when handling these is read only. You cannot risk 166 00:08:21.480 --> 00:08:23.000 modifying the data accidentally. 167 00:08:23.040 --> 00:08:26.399 Read only got it. So once you understand the devices, 168 00:08:26.439 --> 00:08:27.959 you need the right place to work on them, the 169 00:08:28.000 --> 00:08:31.000 forensic fortress, the lab. What makes a good lab, A. 170 00:08:30.959 --> 00:08:34.759 Well equipped lab is non negotiable. You need serious processing power, 171 00:08:35.039 --> 00:08:39.240 a big monitor for detailed work, external drive bays, lots 172 00:08:39.240 --> 00:08:43.679 of RAM fast internal drives like SATA or SCSI. 173 00:08:44.080 --> 00:08:47.759 So powerful gear, But what about securing the lab itself 174 00:08:48.639 --> 00:08:49.840 and the evidence within it? 175 00:08:50.039 --> 00:08:55.000 Security is layered physically. You need high grade materials for locks, 176 00:08:55.279 --> 00:08:59.799 multiple authentication methods, pins, maybe fingerprints, and detailed logs of 177 00:08:59.799 --> 00:09:01.000 who who enters and leaves. 178 00:09:01.000 --> 00:09:02.720 The last makes sense, keep track of everyone. 179 00:09:02.919 --> 00:09:06.840 Network isolation is also critical. An air gap physically disconnected 180 00:09:06.840 --> 00:09:09.559 from outside networks or at least a very robust firewall. 181 00:09:10.039 --> 00:09:13.320 You have to protect your trusted forensic systems from well, 182 00:09:13.440 --> 00:09:15.360 curious and malicious crackers out there. 183 00:09:15.480 --> 00:09:16.519 Keep the bad guys out. 184 00:09:16.679 --> 00:09:21.159 And don't forget environmental stuff, fire protection, automatic suppression systems, 185 00:09:21.240 --> 00:09:25.320 fireproof storage, to guard against unforeseen natural disaster. You're building 186 00:09:25.320 --> 00:09:26.120 a protective. 187 00:09:25.759 --> 00:09:29.559 Bubble, okay, a secure bubble. What tools are essential inside 188 00:09:29.559 --> 00:09:31.600 that bubble? What can't an investigator work without? 189 00:09:31.840 --> 00:09:35.559 Right blockers? Absolutely essential. These are forensically sound devices. Think 190 00:09:35.559 --> 00:09:37.720 of them like a diode or a check valve for data. 191 00:09:38.039 --> 00:09:39.759 A check valve. How does that work? 192 00:09:40.240 --> 00:09:43.679 It ensures data can only travel one way from the 193 00:09:43.679 --> 00:09:47.799 evidence drive to the forensic workstation. It physically stops the 194 00:09:47.840 --> 00:09:50.080 computer from running back to the evidence drive. 195 00:09:49.919 --> 00:09:52.720 Ah, preventing those axidle modifications we talked about. 196 00:09:52.639 --> 00:09:55.320 Exactly which could make the evidence useless in court. 197 00:09:55.720 --> 00:09:58.639 That's clever, like a one way street for data. What 198 00:09:58.679 --> 00:10:02.519 about investigators working out outside the lab in the field, Yeah. 199 00:10:02.360 --> 00:10:06.000 They need a field kit. It's got essentials. Permanent markers 200 00:10:06.000 --> 00:10:10.879 for labeling everything, clearly, anti static bags to protect the electronic. 201 00:10:10.399 --> 00:10:12.080 Basic but crucial stuff. 202 00:10:11.960 --> 00:10:15.080 Very crucial and for really sensitive drives, especially if you're traveling. 203 00:10:15.159 --> 00:10:18.200 The advices use padded boxes and if you have to 204 00:10:18.720 --> 00:10:21.720 hand carry them on the plane, don't check them. Protect 205 00:10:21.799 --> 00:10:22.360 that evidence. 206 00:10:22.600 --> 00:10:25.519 Okay, So you've got the lab, the tools, the mindset. 207 00:10:25.720 --> 00:10:29.240 Now the actual hunt for data. How do you collect 208 00:10:29.320 --> 00:10:33.480 evidence from say a single computer in a forensically sound way. 209 00:10:33.840 --> 00:10:37.200 It's very methodical, almost like a ritual. First step, power 210 00:10:37.279 --> 00:10:41.399 down the system properly, then physically disconnect the power cord, 211 00:10:41.840 --> 00:10:47.480 eject any media CDs, DVDs, USBs. And the book even 212 00:10:47.600 --> 00:10:50.600 mentions the old paper clip trick for a stubborn CD 213 00:10:50.720 --> 00:10:51.240 ROM drive. 214 00:10:51.360 --> 00:10:53.480 Ah, good old paper. 215 00:10:53.159 --> 00:10:55.919 Clip, and this is vital. Fill out a separate chain 216 00:10:55.960 --> 00:10:59.080 of custody form for every single item you remove, every 217 00:10:59.120 --> 00:11:03.039 hard drive, every flash drive, every DiscT document, everything. 218 00:11:02.720 --> 00:11:05.960 Every single piece tracked. Okay, Then comes imaging the drive right, 219 00:11:06.080 --> 00:11:06.960 that sounds critical. 220 00:11:07.080 --> 00:11:09.879 It is the critical step. This is where tools like 221 00:11:10.080 --> 00:11:12.879 end case or the DD command and Linux smart ftk 222 00:11:13.039 --> 00:11:13.799 immager come in. 223 00:11:13.879 --> 00:11:14.840 What do they do exactly? 224 00:11:14.960 --> 00:11:17.720 Their main job is to create an exact bit for 225 00:11:17.840 --> 00:11:21.159 bit copy of forensic image of the original drive. Every file, 226 00:11:21.279 --> 00:11:24.639 every deleted fragment, all the hidden data gets preserved. 227 00:11:24.240 --> 00:11:25.240 The perfect snapshot. 228 00:11:25.320 --> 00:11:28.960 Yes, and a crucial point. When you're imaging a drive 229 00:11:29.000 --> 00:11:32.159 on a Windows system, you must use a hardware right blocker. 230 00:11:32.320 --> 00:11:37.519 Why specifically Windows, because Windows automatically tries to write system information, timestams, 231 00:11:37.600 --> 00:11:40.279 log entries to any new drive it sees. If you 232 00:11:40.320 --> 00:11:43.519 connect and evidence drive directly, Windows will write to it instantly, 233 00:11:43.519 --> 00:11:46.240 compromising its integrity. The right blocker prevents that. 234 00:11:46.600 --> 00:11:49.360 Got it essential for Windows. So once you have the image, 235 00:11:49.600 --> 00:11:52.120 the snapshot, what's next, bag and tag. 236 00:11:52.000 --> 00:11:55.919 Exactly, you properly label the original drive using tamperproof peel 237 00:11:55.960 --> 00:11:59.320 and stick labels. Document everything on the label and in 238 00:11:59.360 --> 00:12:06.080 your logs. Then secure storage a locked location, access strictly controlled, 239 00:12:06.240 --> 00:12:09.120 only authorized personnel, ready for court. 240 00:12:09.519 --> 00:12:13.200 Okay, that covers the traditional approach. But things are changing, right, 241 00:12:13.279 --> 00:12:15.440 Remote investigations are becoming more common. 242 00:12:15.600 --> 00:12:17.960 Yeah, the whole business climate is pushing things that way. 243 00:12:18.279 --> 00:12:22.559 Thing wrongful termination suits, IP, theft, new regulations, it's all 244 00:12:22.600 --> 00:12:25.000 forcing current forensic approaches to evolve. 245 00:12:25.080 --> 00:12:26.360 As the book says, how. 246 00:12:26.279 --> 00:12:29.120 So, well, you've got global companies, massive amounts of data 247 00:12:29.120 --> 00:12:33.320 spread everywhere, and tricky workplace privacy issues. Sending an investigator 248 00:12:33.360 --> 00:12:36.519 on site isn't always practical or even possible anymore. 249 00:12:36.159 --> 00:12:38.759 And privacy. Yeah, that sounds like a minefield. 250 00:12:38.840 --> 00:12:42.200 It can be. The book highlights a major pitfall violating 251 00:12:42.200 --> 00:12:45.240 private sector workplace privacy. If a company doesn't have a 252 00:12:45.279 --> 00:12:49.759 clear acceptable Use policy an AUP, or just a clear 253 00:12:49.799 --> 00:12:53.320 policy on employee privacy expectations that employees have acknowledged, that 254 00:12:53.360 --> 00:12:55.360 company is really exposed to liability. 255 00:12:55.559 --> 00:12:56.440 So what's the fix? 256 00:12:56.960 --> 00:13:00.519 The countermeasure a well written AUP that employees actually sign 257 00:13:00.559 --> 00:13:05.000 off on. It needs to clearly state what's allowed, what's monitored, 258 00:13:05.080 --> 00:13:07.960 and what the expectation of privacy is or isn't on 259 00:13:08.080 --> 00:13:10.799 company systems. That's the company's. 260 00:13:10.399 --> 00:13:14.279 Legal shield, crucial for any business listening. Yeah, so if 261 00:13:14.279 --> 00:13:18.000 physical collection is hard, what's the remote alternative tools? 262 00:13:18.120 --> 00:13:21.919 Like in case enterprise. Their true power, according to the book, 263 00:13:22.200 --> 00:13:25.279 is accessing data on a live system remotely. 264 00:13:24.919 --> 00:13:26.519 Without physically taking the drive. 265 00:13:26.440 --> 00:13:29.559 Exactly, with just a few clicks, you can potentially access 266 00:13:29.559 --> 00:13:31.879 and image the data. You can even do it covertly 267 00:13:31.960 --> 00:13:35.799 sometimes covertly. Yeah, though you always have to consider network speed. 268 00:13:36.080 --> 00:13:39.279 Imaging terabytes over a slow connection that could still take days, 269 00:13:40.000 --> 00:13:42.799 but it avoids the need for physical access. 270 00:13:43.000 --> 00:13:46.120 Okay, and what about those little USB drives you mentioned them? Earlier. 271 00:13:46.480 --> 00:13:49.279 They seem like a huge risk for companies losing data. 272 00:13:49.600 --> 00:13:53.679 Oh, a gigantic risk for corporations, especially for IP theft 273 00:13:53.679 --> 00:13:55.799 people just walking out with sensitive data. 274 00:13:56.120 --> 00:13:59.039 How to investigators track those? They seem so easy to hide. 275 00:13:59.200 --> 00:14:03.240 That's where digital footprints get really specific. Investigators dive into 276 00:14:03.279 --> 00:14:04.440 the Windows registry. 277 00:14:04.519 --> 00:14:08.279 The registry like the computer's central logbook sort of. 278 00:14:08.399 --> 00:14:11.919 Yeah, it's a huge database of settings and activity. They 279 00:14:11.919 --> 00:14:16.639 look specifically at a key called USB store USB store yep, 280 00:14:16.639 --> 00:14:19.879 it's like a guestbook for USB devices. It logs when 281 00:14:19.879 --> 00:14:22.919 a device was last plugged in. Even better, it often 282 00:14:22.960 --> 00:14:26.759 records the device's unique hard coded serial number the instanciety 283 00:14:26.879 --> 00:14:29.720 that's a very reliable way to track a specific thumb drive. 284 00:14:29.840 --> 00:14:32.639 Wow, so even a simple USB stick leaves a pretty 285 00:14:32.639 --> 00:14:35.679 clear trail. What about other user actions? How do you 286 00:14:35.720 --> 00:14:38.200 piece together what a suspect has taken or done on 287 00:14:38.200 --> 00:14:38.679 the computer? 288 00:14:38.840 --> 00:14:42.639 Now? Really unmasking activity? Take Microsoft Office documents. They're often 289 00:14:42.639 --> 00:14:43.799 full of hidden metadata. 290 00:14:43.840 --> 00:14:45.440 Get a data like data about the. 291 00:14:45.480 --> 00:14:52.919 Data exactly hidden fields called custom properties, things like review, cycleide, author, email, 292 00:14:53.080 --> 00:14:57.120 even email subject. This stuff can directly link a user 293 00:14:57.159 --> 00:15:00.200 to a document, sometimes even showing the email addressing CA. 294 00:15:00.039 --> 00:15:01.799 Came from hidden right inside the file. 295 00:15:02.000 --> 00:15:05.360 Sometimes, but interestingly, this info is often stored outside the 296 00:15:05.399 --> 00:15:09.320 main document file, in little companion files like adhosse dot 297 00:15:09.440 --> 00:15:11.679 rcd or review dot rcd. 298 00:15:11.960 --> 00:15:14.279 That's sneaky, so much hidden info. 299 00:15:14.559 --> 00:15:17.320 And investigators can also search for something called the PI, 300 00:15:17.519 --> 00:15:21.159 which can lead to the document's unique MC address m 301 00:15:21.159 --> 00:15:21.759 MAC address. 302 00:15:21.960 --> 00:15:23.679 That's like the network cards fingerprint. 303 00:15:23.759 --> 00:15:26.320 Precisely, it's like the VIN number for the network card 304 00:15:26.519 --> 00:15:28.960 on the computer that created or last saved the document. 305 00:15:29.000 --> 00:15:30.480 A very powerful identifier. 306 00:15:30.600 --> 00:15:34.159 Okay, so documents, bill secrets. What about web browsing. Let's 307 00:15:34.159 --> 00:15:36.159 start with the Internet explore. People use that for ages. 308 00:15:36.360 --> 00:15:39.120 Yeah, and here's the interesting thing about IE. Even though 309 00:15:39.120 --> 00:15:42.200 it's old, it's kind of a digital tattletale. Also, because 310 00:15:42.200 --> 00:15:46.000 it was so deeply woven into Windows, it left tracks everywhere. 311 00:15:46.240 --> 00:15:49.559 Every click, every site visit often got logged and hidden 312 00:15:49.600 --> 00:15:51.159 files called index. 313 00:15:50.799 --> 00:15:52.360 Dot dot index dot det. 314 00:15:52.480 --> 00:15:57.000 Yeah. They act like lookup tables for browsing history, cash files, cookies, 315 00:15:57.159 --> 00:16:01.600 and cookies themselves store useful stuff like use names, site preferences. 316 00:16:01.879 --> 00:16:04.039 It's often less about what they searched for and more 317 00:16:04.039 --> 00:16:05.960 about proving they were on a certain side at a 318 00:16:06.000 --> 00:16:06.519 certain time. 319 00:16:06.639 --> 00:16:09.200 So even if you think you deleted your history, IE 320 00:16:09.440 --> 00:16:13.080 might still hold clues. What about Firefox? Is it different? 321 00:16:13.320 --> 00:16:17.200 Firefox is generally a bit tidier. Its files are more consolidated, 322 00:16:17.399 --> 00:16:19.720 usually easier for investigators to parse. 323 00:16:20.440 --> 00:16:22.240 Except uh oh, except what? 324 00:16:22.440 --> 00:16:25.399 Except for its history file format called m ork. The 325 00:16:25.440 --> 00:16:27.840 book does not mince words here. It calls m ork 326 00:16:28.279 --> 00:16:30.080 what happens when open source goes bad? 327 00:16:30.320 --> 00:16:32.039 Oh? Why so harsh? 328 00:16:32.279 --> 00:16:35.440 Apparently it's just a really complex, difficult format to extract 329 00:16:35.480 --> 00:16:38.320 reliable data from, sometimes a real headache for investigators. 330 00:16:38.360 --> 00:16:41.919 Good to know. Okay. Besides browsers and documents, what else? 331 00:16:41.960 --> 00:16:43.679 In Windows tracks user activity? 332 00:16:44.159 --> 00:16:46.879 There's a really important artifact called user assists. 333 00:16:47.000 --> 00:16:48.399 User assists, Yeah. 334 00:16:48.440 --> 00:16:51.039 Think of it as Windows keeping notes on what programs 335 00:16:51.080 --> 00:16:53.879 you run. It logs the application's name, its path, how 336 00:16:53.879 --> 00:16:55.679 many times you run it, and the last time you 337 00:16:55.759 --> 00:16:56.080 ran it. 338 00:16:56.120 --> 00:16:57.720 That sounds incredibly useful. 339 00:16:58.039 --> 00:17:01.840 It is especially for spotting programs run from a USB drive, 340 00:17:02.120 --> 00:17:04.759 or even figuring out what applications were used right before 341 00:17:04.759 --> 00:17:07.319 they got deleted. It shows intent and action. 342 00:17:07.839 --> 00:17:12.920 Okay, let's shift here slightly specialized investigations. Mobile devices. First, 343 00:17:13.160 --> 00:17:14.759 They are everywhere. 344 00:17:14.319 --> 00:17:17.559 Absolutely permeated our lives, as the book says, and because 345 00:17:17.559 --> 00:17:20.119 people are so comfortable with them, they sometimes will take 346 00:17:20.200 --> 00:17:21.960 risks they wouldn't normally take, like. 347 00:17:21.920 --> 00:17:24.079 The examples we started with documenting crimes on their. 348 00:17:23.960 --> 00:17:27.440 Phones exactly, or the book mentions a gangster taking a 349 00:17:27.480 --> 00:17:30.680 picture of a deceased person with his phone. That casualness, 350 00:17:30.720 --> 00:17:34.240 that comfort level, it's nothing but good for investigators. 351 00:17:34.359 --> 00:17:36.839 Grim But I see the point, and the tech has 352 00:17:36.920 --> 00:17:38.480 changed massively since two thousand and. 353 00:17:38.480 --> 00:17:42.680 Four, huge changes from those early PDA cell phone combos 354 00:17:42.680 --> 00:17:47.279 to today's smartphones. Tools have evolved too. Parabin's Device Seizure, 355 00:17:47.359 --> 00:17:50.920 for instance, can pull data from literally hundreds of models 356 00:17:50.920 --> 00:17:54.079 of cell phones. What kind of data call logs, contacts, 357 00:17:54.200 --> 00:17:58.359 text messages, SMS, mms, sometimes even deleted stuff or voice 358 00:17:58.400 --> 00:18:02.359 recordings In case also has tools for older palm ost devices. 359 00:18:02.400 --> 00:18:03.759 What's the biggest challenge with phones? 360 00:18:04.079 --> 00:18:07.559 Passwords and encryption are often the big hurdle. Getting past 361 00:18:07.599 --> 00:18:11.839 lock screens requires specialized techniques, sometimes specialized hardware. 362 00:18:12.039 --> 00:18:15.759 Right, so phones are one specialized area. What about massive 363 00:18:15.839 --> 00:18:20.200 enterprise storage terabytes of data on raids, sands NAS systems. 364 00:18:20.319 --> 00:18:23.519 Yeah, dealing with systems holding terabytes of data that weren't 365 00:18:23.559 --> 00:18:27.319 really designed for easy desktop access is another big challenge. 366 00:18:27.359 --> 00:18:29.200 How do they tackle say arrayed array. 367 00:18:29.319 --> 00:18:32.920 For raids you often have to image each disc individually 368 00:18:33.240 --> 00:18:37.279 and then reconstruct the array digitally. For some network attached 369 00:18:37.319 --> 00:18:40.119 storage NAS systems, you might even need to take the 370 00:18:40.160 --> 00:18:42.839 system offline for a whole day to get a clean image. 371 00:18:42.880 --> 00:18:43.880 It can be disruptive. 372 00:18:44.039 --> 00:18:45.960 And tapes still tricking, Still. 373 00:18:45.799 --> 00:18:49.039 Tricky, Yeah, same issues with varied hardware and software. But 374 00:18:49.119 --> 00:18:53.240 tapes do have one unique advantage that physical rite protect tab. 375 00:18:53.200 --> 00:18:56.400 Ah like on old floppy discs or VHS tapes, a 376 00:18:56.440 --> 00:18:58.400 built in hardware right blocker. 377 00:18:58.160 --> 00:19:00.680 Exactly, a nice little forensic safeguard built right in. 378 00:19:00.920 --> 00:19:03.319 So with all this data terabytes, how on earth do 379 00:19:03.440 --> 00:19:06.519 investigators search through it efficiently? It sounds impossible. 380 00:19:06.799 --> 00:19:10.160 That's where full text indexing is a life saver. Tools 381 00:19:10.200 --> 00:19:14.000 like Glimpse or Access datas FTK use clever indexing methods 382 00:19:14.079 --> 00:19:15.559 like binary search trees. 383 00:19:15.680 --> 00:19:16.799 Binary search trees. 384 00:19:16.920 --> 00:19:18.680 Yeah, it's a way to organize the data so you 385 00:19:18.759 --> 00:19:23.039 can search massive amounts terabytes of data in seconds. Literally. 386 00:19:23.240 --> 00:19:26.960 It lets investigators zero in on keywords or relevant files 387 00:19:27.319 --> 00:19:29.960 incredibly quickly. Huge time saver. 388 00:19:30.160 --> 00:19:35.839 Okay, investigation done, data analyze. Now the endgame reporting and 389 00:19:35.880 --> 00:19:38.319 the justice system reporting seems crucial. 390 00:19:38.480 --> 00:19:40.960 It's one of the most crucial parts, the book argues, 391 00:19:41.000 --> 00:19:44.160 because if you can't clearly explain your findings communicate. 392 00:19:43.759 --> 00:19:45.599 The facts, all that hard work was for nothing. 393 00:19:45.720 --> 00:19:48.119 All of your hard work will be for not exactly. 394 00:19:48.599 --> 00:19:52.000 Forensic tools generate technical reports, sure, but those aren't the 395 00:19:52.000 --> 00:19:52.759 final product. 396 00:19:52.920 --> 00:19:56.880 What makes a good final report, then, say, for internal use, it. 397 00:19:56.839 --> 00:20:00.640 Needs an executive summary, high level, easy for a non 398 00:20:00.680 --> 00:20:04.319 technical person like an executive to grasp the key findings. 399 00:20:04.759 --> 00:20:07.960 The evidence needs clear annotations explaining why it's relevant, and 400 00:20:08.039 --> 00:20:10.759 often you convert the final report to PDF to lock 401 00:20:10.799 --> 00:20:13.680