WEBVTT 1 00:00:00.080 --> 00:00:02.359 Imagine this for a second. You've just cleared out of 2 00:00:02.359 --> 00:00:05.080 your browser history, maybe emptied the recyclement on your computer, 3 00:00:05.160 --> 00:00:08.439 and you think, okay, clean slate, everything's gone right. Hm, 4 00:00:08.919 --> 00:00:11.880 But what if I told you that, in uh, the 5 00:00:11.919 --> 00:00:17.519 really intricate world of computer forensics, deleted almost never means 6 00:00:17.839 --> 00:00:19.000 truly erased. 7 00:00:19.160 --> 00:00:21.600 That's exactly right. It's a fascinating field. 8 00:00:21.920 --> 00:00:24.800 Today we're taking a deep dive into that hidden universe. 9 00:00:25.760 --> 00:00:29.320 We're exploring computer forensics, and our guide is William's book 10 00:00:29.440 --> 00:00:30.760 Learn Computer Forensics. 11 00:00:30.960 --> 00:00:33.960 It really is a world where almost every digital interaction, 12 00:00:34.079 --> 00:00:37.119 every click, leaves some kind of trace, these little breadcrumbs. 13 00:00:37.759 --> 00:00:40.960 Understanding how to follow that trail, well, that's the key 14 00:00:41.039 --> 00:00:42.799 to uncovering what actually happened. 15 00:00:42.840 --> 00:00:45.759 And our mission for you listing in is to cut 16 00:00:45.759 --> 00:00:48.600 through all the technical jargon, all the complexity. 17 00:00:48.119 --> 00:00:49.039 Yeah, to simplify it. 18 00:00:49.119 --> 00:00:51.240 We want to pull out the most important nuggets of 19 00:00:51.280 --> 00:00:55.679 knowledge for you. How is digital evidence actually found, how 20 00:00:55.759 --> 00:00:58.719 is it analyzed? How is it used? You know, whether 21 00:00:58.759 --> 00:01:01.960 that's in a huge criminal case or maybe a corporate policy. 22 00:01:01.600 --> 00:01:05.159 Dispute, or even just understanding your own digital footprint exactly. 23 00:01:05.200 --> 00:01:08.040 We're going to help you grasp what's really going on 24 00:01:08.200 --> 00:01:11.920 beneath the surface of the devices you use every single day. 25 00:01:12.959 --> 00:01:15.840 So let's kick things off. Let's establish what we're actually 26 00:01:15.879 --> 00:01:19.400 talking about here. When we say computer forensics, we're essentially 27 00:01:19.400 --> 00:01:22.640 looking at a highly specialized type of investigation, aren't we. 28 00:01:22.640 --> 00:01:27.959 We are. It's all about finding, preserving, and then analyzing 29 00:01:28.159 --> 00:01:31.319 digital evidence. And that evidence, as you hinted, can be 30 00:01:31.480 --> 00:01:36.439 incredibly volatile, very fragile sphrisingly so precisely, and what's really 31 00:01:36.480 --> 00:01:39.400 insightful from the book is just how pervasive this digital 32 00:01:39.439 --> 00:01:42.400 evidence has become. It flat out states almost everything in 33 00:01:42.400 --> 00:01:44.239 life is connected to an electronic device. 34 00:01:44.359 --> 00:01:46.120 That's a huge statement, it is. 35 00:01:46.280 --> 00:01:49.280 But think about it. Your smart doorbill catches visitors, your 36 00:01:49.319 --> 00:01:53.159 phone tracks your steps, maybe even your location. Almost every 37 00:01:53.200 --> 00:01:54.840 action leaves these digital traces. 38 00:01:54.959 --> 00:01:57.480 So for an investigator, potential evidence is just. 39 00:01:58.159 --> 00:02:00.400 Everywhere, literally everywhere, And for. 40 00:02:00.400 --> 00:02:03.840 You listening, it's really important to understand just how broad 41 00:02:03.879 --> 00:02:08.319 this is. The sheer range of situations where computer forensics 42 00:02:08.319 --> 00:02:10.840 comes into play. Yeah, it covers both the public sector 43 00:02:11.000 --> 00:02:13.719 like law enforcement, and the private sector. 44 00:02:13.479 --> 00:02:17.400 Right from criminal courts all the way to corporate boardrooms. 45 00:02:16.960 --> 00:02:19.599 Which naturally leads to the question, right Okay, how are 46 00:02:19.599 --> 00:02:23.400 these investigations different or maybe similar? How are they actually 47 00:02:23.960 --> 00:02:25.719 conducted in these different worlds? 48 00:02:25.879 --> 00:02:27.879 That's a key distinction. Let's break it down. 49 00:02:27.960 --> 00:02:32.800 Okay, let's start with criminal investigations. When police, maybe the 50 00:02:32.800 --> 00:02:36.680 first responders, show up at a scene, they need more 51 00:02:36.719 --> 00:02:38.120 than just standard training right now. 52 00:02:38.120 --> 00:02:40.960 Oh, absolutely, they need specific knowledge. They need to spot 53 00:02:41.080 --> 00:02:44.199 items that could hold digital evidence. The obvious things like 54 00:02:44.240 --> 00:02:48.039 phones and laptops, sure, but also maybe gaming consoles, smart. 55 00:02:47.719 --> 00:02:49.680 Speakers, things you might not immediately think of. 56 00:02:49.800 --> 00:02:56.120 Exactly, and crucially, how to secure those items without contaminating them, 57 00:02:56.120 --> 00:02:58.080 without altering that fragile evidence. 58 00:02:58.159 --> 00:03:00.479 And there's a legal framework around this too, isn't there? 59 00:03:00.599 --> 00:03:04.240 Definitely? In the US, for example, the Fourth Amendment is foundational. 60 00:03:04.400 --> 00:03:07.120 It generally requires law enforcement to get a search warrant 61 00:03:07.439 --> 00:03:10.560 or have the owner's explicit consent before they can just 62 00:03:10.639 --> 00:03:11.919 seize digital devices. 63 00:03:12.039 --> 00:03:13.560 That's a cornerstone it is. 64 00:03:13.919 --> 00:03:16.560 It's a constitutional protection, and it deeply shapes how these 65 00:03:16.599 --> 00:03:19.319 investigations proceed. You can't just grab everything. 66 00:03:19.759 --> 00:03:24.520 Now here's where the book gets quite real. It delves 67 00:03:24.560 --> 00:03:28.680 into some very serious crimes, like those involving illicit images 68 00:03:28.680 --> 00:03:29.199 of children. 69 00:03:29.960 --> 00:03:33.439 Difficult but necessary area It highlights how the Internet provides 70 00:03:33.479 --> 00:03:38.879 this of this relatively anonymous access to potentially terabytes of 71 00:03:39.000 --> 00:03:40.639 data with simple clicks. 72 00:03:41.479 --> 00:03:44.159 The challenge the book points out isn't just finding the 73 00:03:44.199 --> 00:03:45.039 illegal content. 74 00:03:45.280 --> 00:03:46.639 No, that's often just the start. 75 00:03:46.759 --> 00:03:50.400 The real hurdle is definitively tying the user to this 76 00:03:50.479 --> 00:03:54.919 specific subject, pinpointing the actual person behind the keyboard, proving 77 00:03:54.919 --> 00:03:57.639 they access to it, possessed it. It's much harder than. 78 00:03:57.520 --> 00:03:59.840 People think it really is, and connecting that to sort 79 00:03:59.840 --> 00:04:03.599 of wider impact things like cyber stocking, cyberbullying. Maybe they 80 00:04:03.599 --> 00:04:06.759 seem less severe on the surface, but the consequences can 81 00:04:06.840 --> 00:04:08.280 be absolutely devastating. 82 00:04:08.560 --> 00:04:11.199 The book gives a really harrowing example, doesn't it. 83 00:04:11.039 --> 00:04:15.039 It does a terminated employee who for months sent manipulated, 84 00:04:15.120 --> 00:04:20.160 really compromising images of a former supervisor, just relentlessly awful, 85 00:04:20.240 --> 00:04:23.079 and the impact on the victim They ended up having 86 00:04:23.079 --> 00:04:26.879 to leave their job, change their name, and move just 87 00:04:26.920 --> 00:04:30.560 to escape. It shows how digital harassment isn't just online. 88 00:04:30.639 --> 00:04:32.879 It destroys real lives offline. 89 00:04:33.040 --> 00:04:35.439 And it's not always the obvious devices either. We're talking 90 00:04:35.439 --> 00:04:38.720 smart watches, fitness trackers, yeah, home assistants even right. 91 00:04:39.600 --> 00:04:44.160 The book mentions a fascinating case a criminal conspiracy. A suspect, 92 00:04:44.319 --> 00:04:47.279 while sitting in an interrogation room was actually using their 93 00:04:47.279 --> 00:04:51.519 smartwatch to communicate with co conspirators outside no way, yes, 94 00:04:51.920 --> 00:04:55.439 and finding that out led to additional charges. Another case, 95 00:04:55.519 --> 00:04:59.000 a very distinctive bracelet scene in a Facebook photo that 96 00:04:59.079 --> 00:05:02.560 became the crucial tying a suspect to a physical crime scene. 97 00:05:02.639 --> 00:05:05.360 Wow. So every connected device is potentially. 98 00:05:05.000 --> 00:05:08.439 A witness essentially, Yes, anything that records or transmits data. 99 00:05:08.600 --> 00:05:10.399 Okay, let's shift gears a bit. Let's talk about the 100 00:05:10.399 --> 00:05:13.199 corporate world here. It's a different kind of digital battlefield. 101 00:05:12.759 --> 00:05:17.720 Right it is. Investigations often center on things like employee misconduct, 102 00:05:18.040 --> 00:05:22.480 maybe corporate espionage, intellectual property theft, or the ever present 103 00:05:22.560 --> 00:05:23.319 insider threat. 104 00:05:23.360 --> 00:05:24.680 And now the rules are different too. 105 00:05:24.920 --> 00:05:28.439 They can be. Yeah, the rules of engagement might vary significantly. 106 00:05:29.160 --> 00:05:32.360 The book mentions Germany, for instance, where examining an employee's 107 00:05:32.360 --> 00:05:36.720 computer requires very specific, quite strict conditions to be met, 108 00:05:37.120 --> 00:05:38.319 mainly around privacy. 109 00:05:38.680 --> 00:05:40.839 So policies are key here. 110 00:05:40.759 --> 00:05:43.680 Absolutely crucial. In corporate settings, it often comes down to 111 00:05:43.920 --> 00:05:47.480 what's in the employee handbook or the company's digital usage policies. 112 00:05:48.040 --> 00:05:51.279 The forensic investigator's role here is often less about building 113 00:05:51.319 --> 00:05:55.160 a criminal case and more about being an impartial third party. 114 00:05:55.000 --> 00:05:57.399 The objective FactFinder exactly. 115 00:05:57.240 --> 00:06:01.279 To recover the artifacts to allow the FactFinder, like HR management, 116 00:06:01.560 --> 00:06:05.040 to make a well informed decision, maybe substantiating claims of 117 00:06:05.079 --> 00:06:09.279 a hostile work environment or proving data exfiltration. You provide 118 00:06:09.319 --> 00:06:11.600 the digital facts, not the judgment. 119 00:06:11.879 --> 00:06:14.199 The book also talks about different types of hackers, doesn't 120 00:06:14.199 --> 00:06:16.160 it beyond the sort of movie stereotype. 121 00:06:16.240 --> 00:06:20.560 It does. It distinguishes between white hat hackers, the ethical 122 00:06:20.600 --> 00:06:25.240 ones testing systems, black hat hackers doing malicious stuff, and 123 00:06:25.319 --> 00:06:30.000 even activist hackers or activists with social or political goals. 124 00:06:29.720 --> 00:06:31.720 Of social engineering like fishing. 125 00:06:32.079 --> 00:06:35.600 Yes, that's a huge one, tricking people into giving up credentials. 126 00:06:35.800 --> 00:06:39.040 The book even mentions automated tools like GoFish that can 127 00:06:39.079 --> 00:06:41.560 be used to launch these kinds of attacks quite easily. 128 00:06:41.720 --> 00:06:45.480 Scary stuff. Yeah, and the insider threat you mentioned. 129 00:06:45.360 --> 00:06:48.600 That's particularly worrying for businesses. The book quotes a stat 130 00:06:48.639 --> 00:06:52.199 that in the IT sector, nearly seventy five percent three 131 00:06:52.279 --> 00:06:55.000 quarters of insider attacks came from former. 132 00:06:54.720 --> 00:06:56.839 Employees former employees. Wow. 133 00:06:57.000 --> 00:07:01.079 Yeah, And what's maybe even more alarming, almost twenty percent 134 00:07:01.240 --> 00:07:04.120 of those attackers still had active account access after they'd 135 00:07:04.199 --> 00:07:04.800 left the company. 136 00:07:04.879 --> 00:07:07.439 That's not just a technical issue. That's a huge policy failure. 137 00:07:07.519 --> 00:07:10.680 It screams of a fundamental gap and procedures. Yeah, offboarding 138 00:07:10.720 --> 00:07:12.160 processes need to be water tight. 139 00:07:12.360 --> 00:07:14.680 So wrapping this section up, what does this all mean 140 00:07:14.759 --> 00:07:17.319 for you the listener, whether you're running a business or 141 00:07:17.399 --> 00:07:19.120 just trying to stay safe online? 142 00:07:19.240 --> 00:07:22.959 Well, I think understanding these different threats, these attack vectors, 143 00:07:23.079 --> 00:07:26.600 and just how many digital breadcrumbs we all leave that 144 00:07:26.720 --> 00:07:30.240 awareness is really step one. Protecting yourself. Protecting your data 145 00:07:30.680 --> 00:07:31.319 starts there. 146 00:07:31.600 --> 00:07:34.959 Okay, so we get the scope. Now, criminal, corporate, the 147 00:07:35.079 --> 00:07:38.720 sheer amount of data. But how does an investigator actually 148 00:07:38.800 --> 00:07:41.319 gear up for one of these digital hunts. It's got 149 00:07:41.360 --> 00:07:43.480 to be more than just having a powerful computer. 150 00:07:43.199 --> 00:07:46.639 Re oh much more. The pre investigation considerations the book 151 00:07:46.639 --> 00:07:50.439 talks about, they're absolutely vital. They're the foundation for any 152 00:07:50.480 --> 00:07:54.120 credible investigation like WEX Specifically well selecting the right equipment, 153 00:07:54.199 --> 00:07:58.319 obviously committing to continuous training because this tech changes constantly, 154 00:07:58.839 --> 00:08:03.240 exactly deep understanding the current laws and regulations in your jurisdiction, 155 00:08:03.759 --> 00:08:08.360 and critically having a well stocked, pre packed response kit and. 156 00:08:08.319 --> 00:08:11.920 The computer self the forensic workstation. The book mentions some 157 00:08:12.079 --> 00:08:13.079 serious specs. 158 00:08:13.319 --> 00:08:16.519 It does. We're talking high end server processors, massive amounts 159 00:08:16.519 --> 00:08:18.959 of RAM, like the six hundred and forty gigabytes mentioned 160 00:08:19.000 --> 00:08:21.680 one and forty gigs of RAM? 161 00:08:21.879 --> 00:08:22.680 Why so much? 162 00:08:23.120 --> 00:08:26.480 It's not overkill. Think about loading an entire image of 163 00:08:26.480 --> 00:08:30.279 a suspect's hard drive, potentially terabytes of data directly into 164 00:08:30.319 --> 00:08:35.000 memory for analysis. You need that RAM to run complex searches, 165 00:08:35.159 --> 00:08:39.879 index files, use multiple tools simultaneously without grinding to a halt. 166 00:08:40.200 --> 00:08:44.120 It's about processing power and avoiding bottlenecks, especially when time 167 00:08:44.320 --> 00:08:44.960 is critical. 168 00:08:45.200 --> 00:08:48.559 Got it makes sense. And that response kit you mentioned 169 00:08:48.919 --> 00:08:50.519 sounds like a detective's go back. 170 00:08:50.399 --> 00:08:53.759 Pretty much, Yeah, a digital detectives go back. It includes 171 00:08:53.799 --> 00:08:57.639 things like a digital camera, interestingly often with the microphone 172 00:08:57.639 --> 00:09:01.679 disabled for legal admissibility reasons. Latex gloves in case of 173 00:09:01.720 --> 00:09:06.360 biohazards on devices, frequency shielding material like Faraday bags, which 174 00:09:06.360 --> 00:09:09.440 are crucial. They stop mobile devices from connecting to networks, 175 00:09:09.480 --> 00:09:13.039 preventing remote white or receiving new data that could contaminate 176 00:09:13.080 --> 00:09:16.799 the evidence. Essential, and of course, precision toolkits for carefully 177 00:09:16.799 --> 00:09:20.679 taking apart devices if necessary. Every item has a specific purpose, 178 00:09:20.879 --> 00:09:23.799 all aimed at preserving evidence, integrity. 179 00:09:23.240 --> 00:09:27.159 And procedures procedures seeing paramount. The book shares a story it. 180 00:09:27.080 --> 00:09:32.879 Does, a cautionary tale about a colleague a who basically 181 00:09:32.919 --> 00:09:36.080 made a huge mistake when creating a forensic image a 182 00:09:36.080 --> 00:09:39.159 bit or bit copy. They accidentally imaged their own forensic 183 00:09:39.240 --> 00:09:43.240 laptop system drive instead of the suspects device. Oh no, exactly. 184 00:09:43.639 --> 00:09:46.600 It's a stark reminder that even experienced people can make 185 00:09:46.600 --> 00:09:49.799 critical errors if they don't follow meticulous and documented steps. 186 00:09:50.360 --> 00:09:53.759 One slip up can potentially torpedo the entire investigation. 187 00:09:54.080 --> 00:09:56.879 So the takeaway for you, the listener, if digital evidence 188 00:09:56.919 --> 00:09:58.919 ever becomes relevant in your life. 189 00:09:58.799 --> 00:10:02.919 Or work, it means the reliability the admissibility of that evidence. 190 00:10:02.960 --> 00:10:06.320 It hinges completely on the investigator sticking rigidly to best 191 00:10:06.360 --> 00:10:10.080 practices and procedures. Any deviation just opens the door for challenges. 192 00:10:10.120 --> 00:10:13.360 Okay, now, what about the software the tools investigators use? 193 00:10:13.559 --> 00:10:16.519 Is it always about expensive commercial software or do open 194 00:10:16.559 --> 00:10:17.799 source options play role? 195 00:10:18.039 --> 00:10:20.879 That's a great question. Many assume you need the pricey stuff, 196 00:10:20.919 --> 00:10:23.879 but the book clarifies that both absolutely have their place. 197 00:10:24.080 --> 00:10:26.720 Like in case right in case is a well known 198 00:10:26.759 --> 00:10:32.039 commercial standard, but there are incredibly powerful open source alternatives too, 199 00:10:32.360 --> 00:10:36.519 things like Autopsy, the Sift work station, Paladin. 200 00:10:36.639 --> 00:10:38.679 Seeing so advantages either way. 201 00:10:38.919 --> 00:10:42.440 Commercial tools often come with dedicated support regular updates, which 202 00:10:42.480 --> 00:10:45.840 is a big plus, but open source tools are frequently 203 00:10:45.879 --> 00:10:49.519 developed by global communities of experts. They can often achieve 204 00:10:49.559 --> 00:10:52.679 the exact same results, sometimes even better in specific niches, 205 00:10:53.080 --> 00:10:56.159 especially if the investigator has the technical skills to really 206 00:10:56.240 --> 00:10:56.919 leverage them. 207 00:10:57.039 --> 00:10:59.759 And how do we know these tools actually work correctly? 208 00:11:00.080 --> 00:11:01.679 They don't alter data themselves. 209 00:11:01.879 --> 00:11:04.759 Ah well, that's where NIST comes in. The National Institute 210 00:11:04.759 --> 00:11:07.720 of Standards and Technology. They run something called the Computer 211 00:11:07.840 --> 00:11:12.759 Forensic Tool Testing Project or CFTT. They independently test and 212 00:11:12.879 --> 00:11:17.000 validate forensic software. The book stresses it's a best practice 213 00:11:17.000 --> 00:11:19.519 to validate the results of your forensic tools at least 214 00:11:19.519 --> 00:11:23.159 annually or whenever the tool gets updated. It provides confidence, 215 00:11:23.360 --> 00:11:26.559 it ensures the findings you present are demonstrably reliable. 216 00:11:26.200 --> 00:11:30.639 Crucial for court and before any tool touches evidence, two 217 00:11:30.759 --> 00:11:36.080 terms keep popping up sterile media and right blocking. Why 218 00:11:36.120 --> 00:11:38.679 are these so critical? Like non negotiable? 219 00:11:39.039 --> 00:11:41.879 They are absolutely non negotiable. Right blocking is maybe the 220 00:11:41.879 --> 00:11:46.080 most fundamental principle, it's hardware or software that physically prevents 221 00:11:46.120 --> 00:11:49.279 any data from being written to the original evidence device. 222 00:11:49.320 --> 00:11:51.120 Though I guarantees you don't change anything. 223 00:11:50.840 --> 00:11:54.799 Precisely, it ensures the integrity of that original source. You 224 00:11:54.840 --> 00:11:57.399 connect the suspect drive through a right blocker and you 225 00:11:57.440 --> 00:12:00.720 can read everything, but you literally cannot alter a single bit. 226 00:12:01.399 --> 00:12:04.240 It prevents any later claims that the investigator tampered with 227 00:12:04.279 --> 00:12:04.759 the evidence. 228 00:12:04.879 --> 00:12:06.639 Makes sense. And sterile media. 229 00:12:06.759 --> 00:12:09.039 Steril media is your target drive where you save the 230 00:12:09.039 --> 00:12:12.519 forensic image. It needs to be forensically wiped, usually filled 231 00:12:12.519 --> 00:12:18.200 with hexadecimal zeros before use. This prevents cross contamination, meaning 232 00:12:18.240 --> 00:12:20.679 you don't want any leftover data from a previous case 233 00:12:20.720 --> 00:12:23.879 accidentally mixing with your current evidence image. It ensures the 234 00:12:23.919 --> 00:12:28.440 copy is pure, untainted. The mantra is simply never want 235 00:12:28.480 --> 00:12:31.440 to change the source de vice digital evidence ever. 236 00:12:31.720 --> 00:12:34.559 Okay, so the investigators prepped, they have the right tools, 237 00:12:34.600 --> 00:12:37.440 they're using right blockers and steril media. How do they 238 00:12:37.480 --> 00:12:41.000 actually get into a system to grab the data without 239 00:12:41.480 --> 00:12:44.720 again altering anything. The book talks about the boot process. 240 00:12:44.960 --> 00:12:48.480 Yeah, understanding how a computer starts up is fundamental, whether 241 00:12:48.519 --> 00:12:51.960 it's the older biosystem which uses a master boot record 242 00:12:52.080 --> 00:12:55.559 MBR to find the operating system, or the newer UFI 243 00:12:55.679 --> 00:13:01.279 standard with its gied Partition Table GPTWO. Knowing this helps 244 00:13:01.320 --> 00:13:04.120 you bypass the normal boot sequence that could write data. 245 00:13:04.279 --> 00:13:07.279 Oh soo, Well, you need to implement controls to protect 246 00:13:07.279 --> 00:13:10.279 the integrity of the evidence. For example, if you have 247 00:13:10.320 --> 00:13:13.039 to boot the suspects machine, which is often avoided, you 248 00:13:13.120 --> 00:13:16.559 might first try to physically disengage the storage devices if 249 00:13:16.600 --> 00:13:19.399 they are accessible, or more commonly, you'd boot from a 250 00:13:19.440 --> 00:13:23.159 specialized forensic live CD or USB drive which loads its 251 00:13:23.200 --> 00:13:26.600 own operating system and tools into RAM, leaving the suspects 252 00:13:26.679 --> 00:13:29.120 drives untouched until you mount them in a read only 253 00:13:29.200 --> 00:13:30.039 state using. 254 00:13:29.840 --> 00:13:31.960 A write blocker, always read only. 255 00:13:31.799 --> 00:13:33.679 Always read only for the original evidence. 256 00:13:33.919 --> 00:13:36.120 Got it? Now? Here's the bit that I think is 257 00:13:36.240 --> 00:13:40.039 often an AHA moment for people. What actually happens when 258 00:13:40.039 --> 00:13:43.360 you press delete on a file? Is it really gone? Poof? 259 00:13:43.639 --> 00:13:47.519 Almost never poof? Not immediately anyway. The book explains that 260 00:13:47.559 --> 00:13:50.919 in many common file systems, like the older FAT system 261 00:13:51.120 --> 00:13:55.120 or even NTFS, to an extent, deleting a file doesn't 262 00:13:55.159 --> 00:13:57.679 actually erase the ones and zeros that make up the 263 00:13:57.720 --> 00:13:59.080 file's data. On the disc. 264 00:13:59.320 --> 00:13:59.879 So what does it do? 265 00:14:00.200 --> 00:14:03.799 It basically just marks the space the file occupied as available. 266 00:14:04.240 --> 00:14:06.919 It might change the first character of the file name 267 00:14:07.039 --> 00:14:09.279 in the directory entry, like to ie five and a 268 00:14:09.320 --> 00:14:11.720 fat yeah, and it clears the pointers in the file 269 00:14:11.759 --> 00:14:14.759 allocation table that say this block belongs to this file. 270 00:14:14.919 --> 00:14:16.840 So just removes the signposts exactly. 271 00:14:16.879 --> 00:14:19.360 It removes the signpost telling the operating system where the 272 00:14:19.399 --> 00:14:22.879 file is, but the data itself often remains there, untouched, 273 00:14:23.120 --> 00:14:26.360 until the operating system needs that specific physical space on 274 00:14:26.399 --> 00:14:27.480 the disc to write new. 275 00:14:27.440 --> 00:14:29.399 Data, which might not happen for a while. 276 00:14:29.559 --> 00:14:31.919 Could be minutes, could be months, could be years, depending 277 00:14:32.000 --> 00:14:33.960 on how full the drive is and how it's used. 278 00:14:34.360 --> 00:14:37.519 And that's why recovering deleted files is so often possible 279 00:14:37.600 --> 00:14:41.639 for forensic investigators. They use tools that scan these unallocated 280 00:14:41.679 --> 00:14:45.159 spaces looking for file fragments or intact files that haven't 281 00:14:45.159 --> 00:14:46.039 been overwritten yet. 282 00:14:46.080 --> 00:14:50.639 That's huge. So delete is more like make available for overwriting. 283 00:14:50.879 --> 00:14:54.080 Eventually pretty much yeah, a much less final action than 284 00:14:54.120 --> 00:14:55.000 most people assume. 285 00:14:55.360 --> 00:14:59.519 So beyond recovering these deleted files, what other kinds of 286 00:14:59.600 --> 00:15:04.000 specif digital breadcrumbs these artifacts can investigators find just within 287 00:15:04.039 --> 00:15:05.639 the windows operating system itself. 288 00:15:05.720 --> 00:15:08.360 Oh, Windows is packed with them. The Windows Registry is 289 00:15:08.360 --> 00:15:11.399 often called the very heart of the Windows operating system. 290 00:15:11.440 --> 00:15:15.120 Why is that because it's a massive database holding configuration 291 00:15:15.240 --> 00:15:20.279 settings for hardware, software, user accounts, system policies, pretty much everything. 292 00:15:20.759 --> 00:15:24.080 For an investigator, it's a gold mine understanding its structure. 293 00:15:24.279 --> 00:15:27.879 These things called hives lets you reconstruct a timeline of activity. 294 00:15:27.960 --> 00:15:30.799 See what software was installed, what devices were connected, like 295 00:15:30.960 --> 00:15:34.559 USB drives, exactly when they were first connected, last connected, 296 00:15:34.600 --> 00:15:36.720 sometimes even the specific serial number. 297 00:15:36.480 --> 00:15:38.440 Of the drive. Wow. What about user activity? 298 00:15:38.519 --> 00:15:43.279 Absolutely? User profiles themselves tell a story local roaming, mandatory 299 00:15:43.440 --> 00:15:48.000 temporary profiles, and within the registry, specifically the SAM hive, 300 00:15:48.320 --> 00:15:51.639 you can often find critical timestamps like the last log 301 00:15:51.679 --> 00:15:54.679 in time for a user or the last password change. 302 00:15:55.039 --> 00:15:58.080 It's like a digital logbook of who was potentially using 303 00:15:58.080 --> 00:15:59.360 the system and when an. 304 00:15:59.320 --> 00:16:00.519 Event log I hear. 305 00:16:00.559 --> 00:16:04.519 Those are important, hugely important. Windows records thousands of different events. 306 00:16:04.600 --> 00:16:08.159 For instance, event ID four six four signals a successful 307 00:16:08.240 --> 00:16:11.559 user login. But crucially, it often records the type of 308 00:16:11.559 --> 00:16:12.200 log on too. 309 00:16:12.360 --> 00:16:13.120 What does that tell you? 310 00:16:13.440 --> 00:16:17.519 It distinguishes between someone physically sitting at the keyboard versus say, 311 00:16:17.559 --> 00:16:20.919 someone logging in remotely over the network using remote desktop, 312 00:16:21.000 --> 00:16:24.559 or maybe a network service logging on. In an investigation, 313 00:16:24.759 --> 00:16:27.480 knowing how someone accessed the system can be just as 314 00:16:27.519 --> 00:16:30.559 important as knowing when changes the whole picture completely. Was 315 00:16:30.600 --> 00:16:32.960 it an insider at the desk or an external attacker 316 00:16:33.000 --> 00:16:35.159 coming through the network, very different scenarios. 317 00:16:35.320 --> 00:16:39.639 The book also mentions artifacts showing file knowledge, things like 318 00:16:39.679 --> 00:16:41.159 thumbnail right the thumb caash. 319 00:16:41.679 --> 00:16:46.120 Windows automatically create small thumbnail images of pictures or videos 320 00:16:46.440 --> 00:16:49.879 when you browse folders and explore. Finding a thumbnail of 321 00:16:49.919 --> 00:16:53.559 a specific illicit image, for example, proves that image file 322 00:16:53.679 --> 00:16:56.559 was present on the system in a location explorer could see. 323 00:16:56.879 --> 00:16:58.919 But does it prove the users saw it. 324 00:16:59.519 --> 00:17:02.720 Ah. That's the important caveat the book makes. A thumbnail 325 00:17:02.720 --> 00:17:05.920 alone is not substantial proof that the user knew the 326 00:17:05.960 --> 00:17:08.960 image was on the system. It shows the file existed, 327 00:17:09.200 --> 00:17:12.200 but not necessarily that the user intentionally viewed it. It's 328 00:17:12.240 --> 00:17:15.759 supporting evidence part of the puzzle, but usually not conclusive on. 329 00:17:15.720 --> 00:17:20.000 Its own good distinction. Mru List's recycle bin YEP. 330 00:17:19.799 --> 00:17:23.440 Most recently used or recently used mr u lists track 331 00:17:23.519 --> 00:17:26.720 files and applications. The user opened the recycle bin even 332 00:17:26.759 --> 00:17:29.240 if a user empties it, the underlying data might still 333 00:17:29.240 --> 00:17:31.799 be an unallocated space, and the metadata about what was 334 00:17:31.799 --> 00:17:33.000 in the bin might still. 335 00:17:32.759 --> 00:17:34.319 Exist even if it looks empty. 336 00:17:34.440 --> 00:17:37.799 Even if it looks empty, then you have shortcut LLENK files. 337 00:17:38.200 --> 00:17:42.160 Windows creates these automatically sometimes or users create them. What's 338 00:17:42.200 --> 00:17:46.400 fascinating is that llenk file retains information about the original 339 00:17:46.440 --> 00:17:50.160 target file, its path, size, timestamps, even if the original 340 00:17:50.240 --> 00:17:52.200 file is later deleted or moved. 341 00:17:52.160 --> 00:17:54.799 So the shortcut remembers the file in a way. 342 00:17:54.880 --> 00:17:58.359 Yes, it's another trace and jump lists those lists of 343 00:17:58.400 --> 00:18:01.000 recent documents or tasks that pair when you write click 344 00:18:01.039 --> 00:18:05.200 and application on the taskbar. They also store valuable activity data. 345 00:18:05.480 --> 00:18:09.319 Okay, so tons of traces within Windows itself. Can you 346 00:18:09.440 --> 00:18:11.920 use these traces to figure out where kmmodra was, like 347 00:18:11.960 --> 00:18:13.119 its physical location? 348 00:18:13.400 --> 00:18:17.039 Sometimes yes. Exploring the network history is key here, specifically 349 00:18:17.079 --> 00:18:19.640 looking at which Wi Fi networks a device has connected 350 00:18:19.680 --> 00:18:22.599 to and ideally when how does that help well? Wi 351 00:18:22.599 --> 00:18:26.640 Fi networks have names, SSIDs and often associated location data. 352 00:18:27.079 --> 00:18:30.160 The book gives a great example an investigation where tracking 353 00:18:30.160 --> 00:18:33.119 the Wi Fi hotspots a suspect's phone connected to allow 354 00:18:33.240 --> 00:18:36.640 investigators to map out his movements over time. This completely 355 00:18:36.680 --> 00:18:39.279 contradicted his alibi about where he claimed to be, So 356 00:18:39.359 --> 00:18:40.359 the phone's Wi. 357 00:18:40.119 --> 00:18:42.200 Fi history became a location tracker. 358 00:18:42.440 --> 00:18:46.000 Essentially, yes, it provided a digital breadcrimb trail of his 359 00:18:46.039 --> 00:18:47.160 physical locations. 360 00:18:47.440 --> 00:18:51.319 Okay, let's shift from storage like hard drives and SSDs. 361 00:18:51.680 --> 00:18:55.039 What about RAM memory analysis? Sounds like a whole different challenge. 362 00:18:55.079 --> 00:18:57.359 It's voluadle right gone when the power goes. 363 00:18:57.160 --> 00:19:00.839 Off, extremely validile that's the main challenge. RAM holds a 364 00:19:00.839 --> 00:19:05.480 snapshot of the system's current running state, like what active processes, 365 00:19:05.519 --> 00:19:09.559 including hidden malware, network connections currently open. Maybe fragments of 366 00:19:09.599 --> 00:19:14.599 documents or emails being typed chat messages incredibly valuable time. 367 00:19:14.440 --> 00:19:17.400 Sensitive data but lost on shutdown. 368 00:19:17.039 --> 00:19:20.079 Lost on shutdown unless it's specifically captured before the system 369 00:19:20.119 --> 00:19:23.839 powers down using specialized tools to perform a live acquisition 370 00:19:23.960 --> 00:19:27.160 or memory dump. Or sometimes fragments might get written to 371 00:19:27.200 --> 00:19:30.519 system files like page file, dot hasses, Windows Virtual Memory 372 00:19:30.720 --> 00:19:34.319 or hyberfill dot hasses, which is created during hibernation. But 373 00:19:34.440 --> 00:19:37.839 capturing live RAM is tricky and needs to happen fast in. 374 00:19:37.839 --> 00:19:42.680 The tools for analyzing this captured RAM, like bulk extractor volatility. 375 00:19:42.200 --> 00:19:46.000 Very powerful tools Volatility is an amazing framework for pulling 376 00:19:46.039 --> 00:19:49.240 structured information out of a raw memory dump running processes, 377 00:19:49.480 --> 00:19:53.799 network sockets, registry keys loaded in memory. Bulk Extractor, as 378 00:19:53.839 --> 00:19:57.359 the book notes, takes a different approach. It largely ignores 379 00:19:57.440 --> 00:20:00.039 the file system structure and just rapidly scans the the 380 00:20:00.240 --> 00:20:02.759 entire data dump, whether it's RAM or a disc image, 381 00:20:02.960 --> 00:20:07.240 for specific patterns like what patterns email addresses, URL's, credit 382 00:20:07.279 --> 00:20:11.920 card numbers, GPS coordinates, specific keywords. It's incredibly fast for 383 00:20:11.960 --> 00:20:14.400 finding certain types of data without needing to parse the 384 00:20:14.440 --> 00:20:15.400 whole file system. 385 00:20:15.559 --> 00:20:20.480 A very different approach. Yeah, shifting again. Communications, email forensics, 386 00:20:20.839 --> 00:20:24.400 Internet artifacts. These must be huge areas for. 387 00:20:24.359 --> 00:20:27.559 Investigators, absolutely massive. For email, you have the basic protocol 388 00:20:27.680 --> 00:20:31.039 SMTP for sending, IMAP or POP three for receiving. That's 389 00:20:31.319 --> 00:20:31.839 the plumbing. 390 00:20:31.920 --> 00:20:33.720 But the investigation gold is elsewhere. 391 00:20:33.799 --> 00:20:37.640 Often yes, it's in decoding email headers. Every email has 392 00:20:37.720 --> 00:20:41.440 hidden header information. The message aid is unique to each email, 393 00:20:41.480 --> 00:20:44.480 like a digital fingerprint, and the chain of received headers 394 00:20:45.000 --> 00:20:47.240 that traces the email's journey from server. 395 00:20:47.039 --> 00:20:48.799 To server, and that can reveal. 396 00:20:48.640 --> 00:20:52.119 Crucially, it often reveals the IP addresses of the servers involved, 397 00:20:52.160 --> 00:20:56.440 including potentially the sender's original IP address along with timestamps. 398 00:20:56.759 --> 00:20:59.319 This can help trace an email back to its source, 399 00:20:59.720 --> 00:21:01.599 even if the sender tried to hide their tracks. 400 00:21:01.720 --> 00:21:05.440 Powerful stuff? What about just general web browsing? Internet history? 401 00:21:05.559 --> 00:21:11.759 Equally rich? The book details artifacts from all the major browsers, Chrome, Edge, Firefox. 402 00:21:11.799 --> 00:21:15.519 We're talking bookmarks, detailed browsing history, logs, what sites were 403 00:21:15.599 --> 00:21:19.160 visited when the browser, cash copies of web pages and 404 00:21:19.160 --> 00:21:23.160 images stored locally, cookies which track sessions and use of preferences, 405 00:21:23.319 --> 00:21:26.279 lots to dig through, tons, and it gets granular. The 406 00:21:26.279 --> 00:21:29.559 book mentions how Google Chrome, for instance, stores its timestams 407 00:21:29.559 --> 00:21:32.599 in a specific format that needs tools like decode to 408 00:21:32.680 --> 00:21:35.920 translate accurately into human readable dates and times. 409 00:21:36.200 --> 00:21:41.400 Details matter and beyond. Browsers, social media, file sharing, cloud 410 00:21:41.440 --> 00:21:42.880 storage all leave. 411 00:21:42.720 --> 00:21:47.240 Digital footprints Facebook, Twitter, Snapchat, cook p twop apps like 412 00:21:47.319 --> 00:21:51.519 eras or eMule, cloud services like Dropbox, Google Drive. They 413 00:21:51.519 --> 00:21:53.519 all generate logs and store data. 414 00:21:53.559 --> 00:21:56.119 But where is that data stored? Mostly not on the 415 00:21:56.200 --> 00:21:57.440 user's computer right. 416 00:21:57.599 --> 00:22:00.440 Often No, that's the key thing for you to know here. 417 00:22:00.720 --> 00:22:03.960 Much of this data, social media posts, cloud files, PDP 418 00:22:04.119 --> 00:22:06.599 logs resides on the service provider's servers. 419 00:22:06.759 --> 00:22:09.799 So investigators can't just grab it from the device, usually not. 420 00:22:09.799 --> 00:22:13.599 The full picture. Accessing that server side data typically requires 421 00:22:13.680 --> 00:22:18.599 legal process, judicially approved subpoenas or search warrants served on 422 00:22:18.640 --> 00:22:21.559 the company running the service. It adds a whole layer 423 00:22:21.599 --> 00:22:24.319 of legal procedure and time to the investigation. 424 00:22:24.400 --> 00:22:27.039 Okay, so we've talked about finding this mountain of digital 425 00:22:27.039 --> 00:22:30.160 evidence decoding it, but it's useless if you can't explain 426 00:22:30.160 --> 00:22:33.839 it clearly right. The book calls report writing possibly one 427 00:22:33.839 --> 00:22:36.400 of the hardest things for an investigator. 428 00:22:35.920 --> 00:22:39.440 Why because it demands a really unique skill set. You 429 00:22:39.519 --> 00:22:42.640 have to take an incredibly technical subject and explain it 430 00:22:42.680 --> 00:22:45.839 in a manner that a non technical person like a judge, 431 00:22:45.880 --> 00:22:48.279 a jury, or company management will. 432 00:22:48.200 --> 00:22:50.160 Understand without dumbing it down too. 433 00:22:50.119 --> 00:22:53.720 Much, exactly, and crucially, without making assumptions or injecting your 434 00:22:53.720 --> 00:22:57.519 own opinions. It's a balancing act for you, the listener. 435 00:22:57.640 --> 00:23:02.480 The absolute key takeaways here are clarity, impartiality, and sticking 436 00:23:02.559 --> 00:23:06.559 strictly to the objective facts. The investigator educates. They don't 437 00:23:06.640 --> 00:23:07.319 advocate for. 438 00:23:07.319 --> 00:23:09.599 One side, and good notes are essential, I. 439 00:23:09.480 --> 00:23:13.599 Imagine non negotiable. The book quotes the maxim if you 440 00:23:13.640 --> 00:23:16.799 do not write it down it did not happen. Meticulous 441 00:23:16.839 --> 00:23:20.559 contemporaneous notes during the examination are critical. They form the 442 00:23:20.599 --> 00:23:22.039 basis of the final. 443 00:23:21.759 --> 00:23:23.640 Report, which has a specific structure. 444 00:23:23.759 --> 00:23:27.799 Generally, yes, a good report includes administrative details, case numbers, 445 00:23:27.880 --> 00:23:31.799 investigator info, a clear executive summary hitting the key findings, 446 00:23:32.000 --> 00:23:35.599 the methodology used, what tools, what procedures, details of the 447 00:23:35.640 --> 00:23:39.519 evidence analyzed, specifics of the acquisition and analysis process, and 448 00:23:39.599 --> 00:23:43.599 finally all the supporting exhibits screenshots, log excerpts, et cetera. 449 00:23:43.759 --> 00:23:45.880 And the language used. Yeah, the book warns. 450 00:23:45.599 --> 00:23:50.359 About that strongly. It emphasizes using objective language, avoiding absolute 451 00:23:50.400 --> 00:23:54.400 statements unless completely certain, and steering clear of unnecessary adjectives 452 00:23:54.400 --> 00:23:55.519 that carry emotional weight. 453 00:23:55.680 --> 00:23:57.599 Can you give that example again, the one about. 454 00:23:57.359 --> 00:24:00.200 The image, right, Instead of writing a disturbing image of 455 00:24:00.240 --> 00:24:03.559 a child which injects opinion and emotion, the report should 456 00:24:03.599 --> 00:24:08.119 state factually something like an image depicting a young looking 457 00:24:08.160 --> 00:24:11.839 male nude standing in a wooded area. Describe what you 458 00:24:11.920 --> 00:24:13.160 see objectively. 459 00:24:13.680 --> 00:24:15.839 Let the image speak for itself to the fact finder. 460 00:24:16.079 --> 00:24:20.279 Precisely you present the digital facts. You don't offer opinions 461 00:24:20.279 --> 00:24:23.160 on their meaning or impact. That's for the judge, jury 462 00:24:23.279 --> 00:24:26.440 or management to decide based on all the evidence presented. 463 00:24:26.599 --> 00:24:29.279 This focus on integrity of the process, the tools, the 464 00:24:29.359 --> 00:24:33.160 reporting seems vital. The book gives some pretty sobering examples 465 00:24:33.160 --> 00:24:35.240 of what happens when things go wrong, doesn't. 466 00:24:34.960 --> 00:24:37.559 It It does? These are really important lessons. Look at 467 00:24:37.559 --> 00:24:41.480 the Casey Anthony case. Potentially crucial digital evidence was, as 468 00:24:41.519 --> 00:24:45.440 the book says, mitigated. Its impact lessened partly because the 469 00:24:45.440 --> 00:24:48.720 defense raised questions about an error reported and the forensic. 470 00:24:48.319 --> 00:24:51.200 Tool used, creating doubt about the finding exactly. 471 00:24:51.319 --> 00:24:54.279 It casts doubt on the reliability of those specific findings. 472 00:24:54.319 --> 00:24:57.519 And there was another case with deleted messages. 473 00:24:57.440 --> 00:25:01.440 Yes We're an investigator apparently deleted text messages and edit 474 00:25:01.559 --> 00:25:05.039 the video file of the recording of the confession. When 475 00:25:05.079 --> 00:25:07.400 this came to light, the judge informed the jury that 476 00:25:07.440 --> 00:25:11.559 these alterations had hindered the government's prosecution and the verdict 477 00:25:11.680 --> 00:25:16.559 not guilty. In both situations, fundamental errors or misconduct related 478 00:25:16.559 --> 00:25:20.480 to handling or presenting digital evidence seriously damaged or even 479 00:25:20.519 --> 00:25:22.759 destroyed the prosecution's case. 480 00:25:23.039 --> 00:25:25.759 It really hammers home the need for procedure. 481 00:25:26.039 --> 00:25:31.079 It underscores why proper evidence handling procedures, maintaining that meticulous 482 00:25:31.200 --> 00:25:34.559 unbroken chain of custody and security from seizure to courtroom 483 00:25:34.960 --> 00:25:37.599 are absolutely paramount. They're not just bureaucratic steps. 484 00:25:37.599 --> 00:25:39.759 They're essential for admissibility. Essential. 485 00:25:40.000 --> 00:25:44.000 Any misstep, any gap in the chain, any deviation from procedure, 486 00:25:44.279 --> 00:25:47.000 it can create reasonable doubt in the mind of a juror, 487 00:25:47.400 --> 00:25:50.279 and reasonable doubt is all it takes to generate an acquittal, 488 00:25:50.440 --> 00:25:53.079 even if the underlying digital evidence seems strong. 489 00:25:53.519 --> 00:25:56.079 So finally, let's talk about the role of the investigator 490 00:25:56.119 --> 00:25:59.640 as an expert witness in court and the ethics involved. 491 00:26:00.119 --> 00:26:02.079 Aren't there to help one side win, are they? 492 00:26:02.359 --> 00:26:06.319 Absolutely not. That's a fundamental misunderstanding some people have. As 493 00:26:06.359 --> 00:26:09.319 an expert witness, your duty is to the court, to 494 00:26:09.359 --> 00:26:13.599 the truth. You have a responsibility to conduct due diligence, 495 00:26:13.880 --> 00:26:14.920 be truthful, and. 496 00:26:14.920 --> 00:26:17.359 Be objective, regardless of who hired. 497 00:26:17.079 --> 00:26:20.960 You, regardless The book references the International Association of Computer 498 00:26:21.039 --> 00:26:25.599 Investigative Specialists IACIS Code of Ethics. It strictly prohibits things 499 00:26:25.640 --> 00:26:29.440 like misrepresenting your credentials or any form of professional dishonesty. 500 00:26:29.920 --> 00:26:33.519 Your goal, simply put, is to be unbiased and present 501 00:26:33.559 --> 00:26:36.440 the facts of the matter to the FactFinder period. 502 00:26:36.160 --> 00:26:38.240 Allow them to make the informed decision. 503 00:26:37.960 --> 00:26:40.200 Based on the digital truth as you found it explained 504 00:26:40.200 --> 00:26:43.839 clearly and objectively. It's a role built entirely on trust 505 00:26:43.880 --> 00:26:45.119 and integrity. 506 00:26:44.799 --> 00:26:48.000 And given how fast technology changes, it really is a 507 00:26:48.039 --> 00:26:49.400 field where the learning never. 508 00:26:49.279 --> 00:26:53.759 Stops, constantly evolving new devices, new software, and new encryption methods. 509 00:26:54.640 --> 00:26:55.680 You have to stay current. 510 00:26:55.839 --> 00:26:58.599 Okay, So wrapping this all up, what does this deep 511 00:26:58.680 --> 00:27:00.880 dive mean for you are listener. 512 00:27:00.799 --> 00:27:03.680 Well, hopefully it's revealed this kind of hidden world that 513 00:27:03.759 --> 00:27:07.680 exists within all our digital devices, a world where almost 514 00:27:07.680 --> 00:27:12.079 every action, every click, every connection leaves some kind of trace. 515 00:27:11.880 --> 00:27:16.200 And where skilled ethical investigators can meticulously uncover the truth 516 00:27:16.440 --> 00:27:17.400 bite by bite. 517 00:27:17.440 --> 00:27:20.680 You've hopefully gained a much clearer understanding of the whole journey, 518 00:27:20.839 --> 00:27:24.519 from the types of cases, whether they're criminal or corporate 519 00:27:24.640 --> 00:27:28.559 or even cyber stocking, right to the specialized tools and 520 00:27:28.599 --> 00:27:32.759 the absolutely critical procedures needed to collect and analyze that 521 00:27:32.839 --> 00:27:37.640 evidence properly. And you've seen why impartiality and ethics aren't optional, 522 00:27:37.839 --> 00:27:38.799 they're foundational. 523 00:27:39.519 --> 00:27:43.079 We've explored some fascinating artifacts hidden deep in operating systems. 524 00:27:43.200 --> 00:27:46.440 We've decoded secrets and email headers and browser trails, and 525 00:27:46.480 --> 00:27:50.119 maybe the big takeaway For many, we've learned that deleted 526 00:27:50.400 --> 00:27:55.039 rarely means gone, that data often sticks around waiting to 527 00:27:55.079 --> 00:27:55.680 be recovered. 528 00:27:55.759 --> 00:27:59.160 Yeah, that's often a surprise. So your enhanced awareness now 529 00:27:59.160 --> 00:28:01.119 of these digital foot prince we all leave and the 530 00:28:01.119 --> 00:28:03.799 forensic process used to find them, hopefully it gives you 531 00:28:03.799 --> 00:28:06.319 a new appreciation for these hidden layers of information all 532 00:28:06.359 --> 00:28:06.880 around us. 533 00:28:07.160 --> 00:28:10.359 Maybe a deeper understanding of your own digital life too. Definitely. 534 00:28:10.480 --> 00:28:12.240 So here's a final thought something for you to maybe 535 00:28:12.319 --> 00:28:16.079 mull over after this. If our digital world retained so 536 00:28:16.200 --> 00:28:20.759 much information, if skilled investigators can recover so many detailed 537 00:28:20.759 --> 00:28:24.920 traces of our online and offline activities through our devices, 538 00:28:25.519 --> 00:28:28.680 what does that really imply for the future of personal privacy? 539 00:28:29.240 --> 00:28:30.000 A big question? 540 00:28:30.160 --> 00:28:33.920 And thinking about that, how might this newfound knowledge actually 541 00:28:33.960 --> 00:28:37.119 shape your own digital habits, your own approach to how 542 00:28:37.160 --> 00:28:40.160 you live your life online moving forward? Something to think 543 00:28:40.200 --> 00:28:40.480 about