hide💡July 26 marks the anniversary of the Americans with Disabilities Act.
Accessibility and Inclusion is at the heart of what we do, learn with Amara.org about the role of captions in ADA compliance!

< Return to Video

Introduction to Digital Forensics - Learn the Basics

  • 0:00 - 0:07
    [Music]
  • 0:07 - 0:09
    hello team welcome to my session on
  • 0:09 - 0:11
    coffee with prab and today we're going
  • 0:11 - 0:15
    to discuss about digital forensics yes
  • 0:15 - 0:17
    it is one of the
  • 0:17 - 0:18
    a great career perspective for the
  • 0:18 - 0:20
    information security professional so i
  • 0:20 - 0:23
    thought i will make one video on digital
  • 0:23 - 0:25
    forensics i am planning to make more
  • 0:25 - 0:27
    videos on digital forensics in future
  • 0:27 - 0:29
    where i am going to discuss about some
  • 0:29 - 0:31
    cases so if you're new to my channel do
  • 0:31 - 0:33
    subscribe to my youtube channel and
  • 0:33 - 0:35
    click on the bell icon to make sure you
  • 0:35 - 0:37
    should not miss my future videos on a
  • 0:37 - 0:38
    similar topic
  • 0:38 - 0:40
    my name is prabhnayar for more
  • 0:40 - 0:42
    information you can refer my linkedin
  • 0:42 - 0:45
    profile so without wasting a time let's
  • 0:45 - 0:47
    start with the first part
  • 0:47 - 0:50
    so instead of starting with what is
  • 0:50 - 0:52
    forensics or digital forensics i thought
  • 0:52 - 0:55
    let me give you a first brief idea about
  • 0:55 - 0:57
    cyber crime okay so when we say word
  • 0:57 - 0:58
    cyber
  • 0:58 - 1:00
    and when we say the word crime what is
  • 1:00 - 1:01
    that
  • 1:01 - 1:03
    when you're talking about cyber cyber is
  • 1:03 - 1:06
    a is a concept of you know cyber is
  • 1:06 - 1:08
    relating to or characteristics of the
  • 1:08 - 1:10
    culture of computers
  • 1:10 - 1:12
    information technology and virtual
  • 1:12 - 1:14
    reality so cyber is related to the
  • 1:14 - 1:17
    network cyber is related to the systems
  • 1:17 - 1:19
    and crime is basically called as an
  • 1:19 - 1:22
    action or omission which constitutes an
  • 1:22 - 1:23
    offense
  • 1:23 - 1:26
    so where computer is involved in
  • 1:26 - 1:30
    committing a crime a computer was used
  • 1:30 - 1:32
    to committing a crime that is basically
  • 1:32 - 1:34
    called as a cyber crime so we have a
  • 1:34 - 1:36
    different kind of an expertise who
  • 1:36 - 1:38
    involved in the cyber crime
  • 1:38 - 1:40
    investigation in layman i can say
  • 1:40 - 1:42
    suppose there is a candidate name is
  • 1:42 - 1:45
    rita
  • 1:45 - 1:49
    one day she received a threatening email
  • 1:49 - 1:51
    that okay i will kill you
  • 1:51 - 1:53
    okay or i will
  • 1:53 - 1:56
    do something bad so this kind of a email
  • 1:56 - 1:59
    rita received now rita what she did she
  • 1:59 - 2:03
    report that issue to the police
  • 2:03 - 2:05
    now what police did police basically
  • 2:05 - 2:09
    contact the cyber team
  • 2:10 - 2:12
    and cyber team basically investigated
  • 2:12 - 2:14
    the email from where the email comes
  • 2:14 - 2:17
    what is the iep address of the email
  • 2:17 - 2:19
    what is the source what is the details
  • 2:19 - 2:21
    so here what happened the computer and
  • 2:21 - 2:24
    their associate details artifacts has
  • 2:24 - 2:26
    been used to identify who sent the
  • 2:26 - 2:28
    threatening email to rita
  • 2:28 - 2:30
    see here the rita has not received any
  • 2:30 - 2:33
    kind of physical threat okay it mean
  • 2:33 - 2:34
    that the person is not standing outside
  • 2:34 - 2:37
    the gate and threatening rita
  • 2:37 - 2:39
    she receive an email which is also an
  • 2:39 - 2:41
    electronic email it is not a postal
  • 2:41 - 2:43
    email it is an electronic email which
  • 2:43 - 2:47
    she receive on an email or in a mailbox
  • 2:47 - 2:49
    so based on the data
  • 2:49 - 2:51
    which is received by rita we have
  • 2:51 - 2:54
    investigated where we identify what can
  • 2:54 - 2:56
    be the sender
  • 2:56 - 2:58
    who is the sender from which ip address
  • 2:58 - 3:00
    this email come then we contact that
  • 3:00 - 3:02
    server then from the server we identify
  • 3:02 - 3:04
    the mail has been sent from this
  • 3:04 - 3:06
    particular ip then we went to that
  • 3:06 - 3:07
    system
  • 3:07 - 3:09
    but problem is that that system is used
  • 3:09 - 3:10
    by multiple people then we check the
  • 3:10 - 3:13
    camera from the camera we identify on
  • 3:13 - 3:15
    that particular time who was sitting on
  • 3:15 - 3:17
    the computer then we took a picture and
  • 3:17 - 3:19
    this is how we have invest he can
  • 3:19 - 3:22
    identify who sent an email to rita
  • 3:22 - 3:23
    okay so this is basically where the
  • 3:23 - 3:25
    computer has been used to identify and
  • 3:25 - 3:27
    track because in this particular
  • 3:27 - 3:28
    condition
  • 3:28 - 3:31
    computer was used as a tool to commit a
  • 3:31 - 3:32
    crime
  • 3:32 - 3:33
    okay
  • 3:33 - 3:34
    so that is called as a cyber crime so
  • 3:34 - 3:37
    when we talking about cyber
  • 3:37 - 3:39
    crime it has a two perspective
  • 3:39 - 3:41
    so in this this in cyber crime the
  • 3:41 - 3:43
    computers are basically involved to
  • 3:43 - 3:45
    compete com uh to commit the crime so
  • 3:45 - 3:47
    question is how one condition is
  • 3:47 - 3:50
    computer is a target now example we have
  • 3:50 - 3:52
    a company which is running a very
  • 3:52 - 3:54
    critical servers every day from this
  • 3:54 - 3:56
    particular server we are generating a
  • 3:56 - 3:58
    thousand dollar business
  • 3:58 - 3:59
    now one of our
  • 3:59 - 4:02
    enemies or one of our competitors they
  • 4:02 - 4:04
    hire hackers and they basically try to
  • 4:04 - 4:06
    shut down the servers because they know
  • 4:06 - 4:08
    very well if the server is basically
  • 4:08 - 4:10
    down it will impact the business it is
  • 4:10 - 4:11
    actually a crime
  • 4:11 - 4:13
    because what you're doing here is you
  • 4:13 - 4:15
    are manipulating my servers you shutting
  • 4:15 - 4:16
    down my servers and which impact my
  • 4:16 - 4:18
    business and it is a loss of money for
  • 4:18 - 4:22
    me so here in a cyber crime computer was
  • 4:22 - 4:24
    used as a target okay so in this case
  • 4:24 - 4:27
    they have targeted my server now here
  • 4:27 - 4:29
    what happened hacker also using his
  • 4:29 - 4:30
    computer
  • 4:30 - 4:32
    in which he using a tool to perform the
  • 4:32 - 4:34
    attack so here the computer was used as
  • 4:34 - 4:37
    a mechanism so that is why in the cyber
  • 4:37 - 4:39
    crime we say that computer as a target
  • 4:39 - 4:41
    where i'm targeting a computer to hack
  • 4:41 - 4:44
    the computer and computer as i use it
  • 4:44 - 4:45
    mean i am using my laptop to commit a
  • 4:45 - 4:46
    crime
  • 4:46 - 4:48
    so that is basically usage of cyber
  • 4:48 - 4:51
    crime now in the cyber crime as if you
  • 4:51 - 4:52
    go by the process we have a multiple
  • 4:52 - 4:54
    type of cyber crime but here i have
  • 4:54 - 4:56
    categorized the cyber crime into three
  • 4:56 - 4:58
    category one is called as a cyber tree
  • 4:58 - 5:01
    pass trespass second is basically called
  • 5:01 - 5:03
    as a cyber deception and third is
  • 5:03 - 5:06
    basically called as a cyber violence so
  • 5:06 - 5:08
    first is basically called as a cyber
  • 5:08 - 5:10
    trespass so cyber trespass is basically
  • 5:10 - 5:12
    referred to act of crossing the
  • 5:12 - 5:14
    boundaries of ownership in online
  • 5:14 - 5:16
    environment or connect
  • 5:16 - 5:18
    with the unauthorized network one
  • 5:18 - 5:20
    example i can give you so this is
  • 5:20 - 5:24
    basically the wi-fi shop we have
  • 5:25 - 5:27
    coffee shop sorry
  • 5:27 - 5:29
    this is the coffee shop we have okay i
  • 5:29 - 5:31
    want to commit i want to send a
  • 5:31 - 5:33
    threatening email to rita definitely if
  • 5:33 - 5:36
    i use my house ip or if i use my house
  • 5:36 - 5:37
    internet to send an email they can able
  • 5:37 - 5:40
    to track the mail came from prep
  • 5:40 - 5:43
    now what happened i went to coffee shop
  • 5:43 - 5:45
    okay i took one coffee
  • 5:45 - 5:47
    and they have a wi-fi but they are not
  • 5:47 - 5:49
    sharing me the username password so i
  • 5:49 - 5:52
    basically try to hack the wi-fi network
  • 5:52 - 5:54
    use a wi-fi network to send an email so
  • 5:54 - 5:56
    here i have used some other organization
  • 5:56 - 5:58
    wi-fi and through that i was trying to
  • 5:58 - 6:00
    hack so that is called as a cyber
  • 6:00 - 6:01
    trespass
  • 6:01 - 6:03
    second is called as a cyber deception
  • 6:03 - 6:05
    cyber deception is basically like a
  • 6:05 - 6:07
    phishing where i'm sending a phishing
  • 6:07 - 6:09
    email to you know collect more and more
  • 6:09 - 6:10
    information about the user like i sent
  • 6:10 - 6:12
    you a phishing email hey you want the
  • 6:12 - 6:14
    lottery and to claim the lottery you
  • 6:14 - 6:15
    need to share your account details and
  • 6:15 - 6:18
    other information so here what happened
  • 6:18 - 6:20
    i have collected your information so
  • 6:20 - 6:22
    that is called as a cyber deception and
  • 6:22 - 6:24
    third is called as a cyber violence now
  • 6:24 - 6:26
    i want to promote uh
  • 6:26 - 6:28
    some social message i want to promote
  • 6:28 - 6:30
    some economic message okay i want to
  • 6:30 - 6:32
    promote some religious message so i know
  • 6:32 - 6:34
    facebook server yahoo server google
  • 6:34 - 6:37
    server is basically receive huge traffic
  • 6:37 - 6:39
    so we hack into those servers and we
  • 6:39 - 6:41
    promote our social economic message that
  • 6:41 - 6:43
    is why sometime you notice whenever you
  • 6:43 - 6:44
    try to browse some website it will
  • 6:44 - 6:46
    redirect to some kind of a social and
  • 6:46 - 6:49
    economic message websites okay so that
  • 6:49 - 6:51
    is basically called as a cyber violence
  • 6:51 - 6:53
    where i have my intention to disrupt the
  • 6:53 - 6:56
    society i have interim should interrupt
  • 6:56 - 6:58
    i have an intention to compromise the
  • 6:58 - 6:59
    society
  • 6:59 - 7:01
    okay like example we have a
  • 7:01 - 7:04
    scada plant we have a
  • 7:04 - 7:06
    ics plant ic stand for industrial
  • 7:06 - 7:08
    control system okay in middle east you
  • 7:08 - 7:11
    can see in the us you can see a lot of
  • 7:11 - 7:13
    machines are controlled by the computers
  • 7:13 - 7:15
    okay so here what we did is we hacked
  • 7:15 - 7:17
    into the computer networks
  • 7:17 - 7:19
    okay and by which we had disrupt their
  • 7:19 - 7:20
    power plants we disrupt their water
  • 7:20 - 7:23
    plant okay live example is i hack into
  • 7:23 - 7:24
    one water plant
  • 7:24 - 7:26
    okay remotely and i increase the
  • 7:26 - 7:28
    chlorine level of the water which
  • 7:28 - 7:30
    basically create more poison which is
  • 7:30 - 7:32
    not very in uh it is where it becomes
  • 7:32 - 7:34
    very injurious for the person to drink
  • 7:34 - 7:36
    so this is how i basically perform the
  • 7:36 - 7:39
    cyber violence so summary is that using
  • 7:39 - 7:41
    someone's wi-fi use a wi-fi and access
  • 7:41 - 7:43
    the things that is called cyber trespass
  • 7:43 - 7:45
    cyber deception is basically a phishing
  • 7:45 - 7:47
    campaign
  • 7:47 - 7:49
    and cyber violence is basically where we
  • 7:49 - 7:51
    are disrupting the networks disrupting
  • 7:51 - 7:53
    the things and it is lead to also
  • 7:53 - 7:55
    someone human life that's like dos
  • 7:55 - 7:57
    attack and ddos attack that is part of
  • 7:57 - 7:59
    the cyber violence
  • 7:59 - 8:01
    so now we're going to discuss about the
  • 8:01 - 8:03
    introduction of the digital forensics
  • 8:03 - 8:05
    because we hire forensic investigators
  • 8:05 - 8:08
    we hire a specialized officers who
  • 8:08 - 8:11
    investigate who perform this attack how
  • 8:11 - 8:14
    this attack happen and and
  • 8:14 - 8:16
    who can be the target what is the motive
  • 8:16 - 8:18
    for them so we have a dedicated team
  • 8:18 - 8:20
    okay in every every country there is a
  • 8:20 - 8:22
    dedicated team who involved in
  • 8:22 - 8:24
    investigating such kind of a computer's
  • 8:24 - 8:27
    crime and that is called as a forensic
  • 8:27 - 8:29
    investigator and that is my agenda in
  • 8:29 - 8:31
    this particular session so let's start
  • 8:31 - 8:32
    with the introduction of digital
  • 8:32 - 8:34
    forensics
  • 8:34 - 8:35
    okay
  • 8:35 - 8:37
    so what is
  • 8:37 - 8:39
    digital forensics so when you're talking
  • 8:39 - 8:40
    about digital and forensic it means
  • 8:40 - 8:43
    doing an investigation for a digital
  • 8:43 - 8:44
    stuff
  • 8:44 - 8:46
    so even you go by the definition digital
  • 8:46 - 8:48
    forensics is a part of forensic science
  • 8:48 - 8:51
    that focus on identifying acquiring
  • 8:51 - 8:54
    processing analyzing and reporting on
  • 8:54 - 8:56
    data stored electronically as i said
  • 8:56 - 8:59
    when rita
  • 8:59 - 9:03
    she receive an email
  • 9:03 - 9:05
    so first we have contact rita and ask
  • 9:05 - 9:07
    for the email
  • 9:07 - 9:09
    and we have identify the email content
  • 9:09 - 9:11
    we identify the email header and from
  • 9:11 - 9:13
    there we got a high level information
  • 9:13 - 9:17
    from which domain the email comes
  • 9:17 - 9:19
    what is the ip addresso server and what
  • 9:19 - 9:21
    is the primary location then we have
  • 9:21 - 9:23
    basically contacted that particular
  • 9:23 - 9:25
    companies and contacted and checked
  • 9:25 - 9:27
    those servers from where the mail has
  • 9:27 - 9:29
    been sent and from there we got ip that
  • 9:29 - 9:31
    was a sender ip was at this particular
  • 9:31 - 9:34
    host ip so here what happened we are
  • 9:34 - 9:36
    identifying the electronic information
  • 9:36 - 9:38
    because if you're talking about general
  • 9:38 - 9:40
    forensic investigation if someone has
  • 9:40 - 9:41
    killed someone
  • 9:41 - 9:43
    so we physically go there and collect
  • 9:43 - 9:45
    the evidence physical evidence but here
  • 9:45 - 9:48
    everything is digital you cannot touch
  • 9:48 - 9:50
    that it is a logical email you cannot
  • 9:50 - 9:52
    touch email is additional data
  • 9:52 - 9:54
    okay so you have to use specialized
  • 9:54 - 9:56
    tools to extract the email understand
  • 9:56 - 9:58
    the data you need to contact the server
  • 9:58 - 9:59
    from where we have sent an email we have
  • 9:59 - 10:02
    to contact that so here we are basically
  • 10:02 - 10:03
    fighting with the systems we are not
  • 10:03 - 10:05
    fighting with the person
  • 10:05 - 10:07
    here we are not identifying on a first
  • 10:07 - 10:10
    stage who which person did that we are
  • 10:10 - 10:12
    identifying which system was basically
  • 10:12 - 10:14
    used to perform this crime because once
  • 10:14 - 10:16
    we identify the system we will get the
  • 10:16 - 10:19
    system owner details or the system user
  • 10:19 - 10:20
    details you're getting a point so if the
  • 10:20 - 10:22
    mail has been sent from cyber cafe at 10
  • 10:22 - 10:25
    15 but that system was used by multiple
  • 10:25 - 10:27
    people right so from there we will
  • 10:27 - 10:29
    involve the camera in the camera it will
  • 10:29 - 10:31
    capture the digital data that at 10 15
  • 10:31 - 10:32
    which person was sitting on that
  • 10:32 - 10:35
    particular system then we will basically
  • 10:35 - 10:36
    contact the person
  • 10:36 - 10:38
    and find out okay why you send this
  • 10:38 - 10:40
    email so here the everything is digital
  • 10:40 - 10:42
    that is why they say identifying the
  • 10:42 - 10:43
    digital data
  • 10:43 - 10:45
    okay acquiring the digital data
  • 10:45 - 10:47
    processing the data for the correlation
  • 10:47 - 10:49
    then analyzing the value and then
  • 10:49 - 10:51
    according to that we do the final report
  • 10:51 - 10:54
    but we have a different type of digital
  • 10:54 - 10:56
    forensics like we have a computer
  • 10:56 - 10:58
    forensics like there was a computer was
  • 10:58 - 11:01
    hacked so we identify who hacked that so
  • 11:01 - 11:03
    there is an investigation involved in
  • 11:03 - 11:05
    computer aspect there was a mobile has
  • 11:05 - 11:06
    been used
  • 11:06 - 11:08
    for the threatening the mobile has been
  • 11:08 - 11:10
    used for sending a whatsapp message the
  • 11:10 - 11:12
    mobile was involved in uh giving a
  • 11:12 - 11:14
    threatening call so we have investigated
  • 11:14 - 11:16
    the mobiles and identified data from
  • 11:16 - 11:17
    there
  • 11:17 - 11:18
    then we have a network forensics someone
  • 11:18 - 11:20
    is basically doing multiple attacks on
  • 11:20 - 11:22
    the networks so we are dumping the
  • 11:22 - 11:24
    firewall locks we are identifying the
  • 11:24 - 11:27
    ids locks intrusion detection systems
  • 11:27 - 11:28
    from there we get a visibility what kind
  • 11:28 - 11:30
    of a traffic is coming in the network
  • 11:30 - 11:32
    from where which is a source is involved
  • 11:32 - 11:35
    so that is called as a network forensics
  • 11:35 - 11:37
    and last but not the least we have a
  • 11:37 - 11:38
    hardware forensics example like we
  • 11:38 - 11:40
    purchase some hardware devices like it
  • 11:40 - 11:43
    can be my mobile as a hardware device
  • 11:43 - 11:45
    okay router as a hardware device a
  • 11:45 - 11:47
    system as a hardware device so sometime
  • 11:47 - 11:48
    what happened
  • 11:48 - 11:50
    sometime it's sometime it's possible
  • 11:50 - 11:52
    that okay uh you know
  • 11:52 - 11:55
    vendor basically embodied a malware in
  • 11:55 - 11:57
    that sometime the user embedding some
  • 11:57 - 12:00
    kind of a trojan in the hardware so we
  • 12:00 - 12:01
    are trying to investigate is this
  • 12:01 - 12:03
    hardware is compromised
  • 12:03 - 12:04
    okay
  • 12:04 - 12:06
    because there is a possibility of
  • 12:06 - 12:07
    hardware is basically compromised then
  • 12:07 - 12:09
    it is a concern for us might be someone
  • 12:09 - 12:12
    has given me one one device with enable
  • 12:12 - 12:13
    with some mic and all that so we need to
  • 12:13 - 12:15
    investigate it is someone has stamped or
  • 12:15 - 12:18
    something else so we have a digital
  • 12:18 - 12:22
    different type of digital forensics okay
  • 12:22 - 12:24
    so this is the introduction we have so
  • 12:24 - 12:26
    now we're going to understand about the
  • 12:26 - 12:29
    forensic investigation process
  • 12:29 - 12:31
    so on a high level different different
  • 12:31 - 12:32
    books
  • 12:32 - 12:34
    talk about different different forensic
  • 12:34 - 12:36
    investigation process
  • 12:36 - 12:38
    so here i have categorized that forensic
  • 12:38 - 12:41
    process in a four stages the first stage
  • 12:41 - 12:43
    is collection second is called as
  • 12:43 - 12:45
    examination third is called as analysis
  • 12:45 - 12:47
    and fourth is called as a reporting let
  • 12:47 - 12:49
    me give an example
  • 12:49 - 12:53
    so suppose this is my internet
  • 12:57 - 12:59
    okay
  • 13:01 - 13:04
    there is a firewall
  • 13:06 - 13:09
    and we have a switch
  • 13:14 - 13:17
    we have a system a
  • 13:17 - 13:20
    we have a system b
  • 13:20 - 13:23
    we have a system c
  • 13:23 - 13:26
    and we have a system d
  • 13:27 - 13:31
    now there is a ip called 1.1.1.1
  • 13:31 - 13:35
    it is attacker ip
  • 13:38 - 13:41
    this ip was able to bypass the firewall
  • 13:41 - 13:44
    and it attack system a it attacks system
  • 13:44 - 13:47
    b it attacks system c and attack system
  • 13:47 - 13:48
    d
  • 13:48 - 13:50
    so we got this confirmation that there
  • 13:50 - 13:52
    was ip was able to penetrate into the
  • 13:52 - 13:54
    firewall and able to hack into the
  • 13:54 - 13:56
    internal network and he was able to or
  • 13:56 - 13:58
    she was able to hack the ip or the
  • 13:58 - 14:00
    particular hacker was able to hack into
  • 14:00 - 14:03
    the multiple system
  • 14:03 - 14:04
    so i want to investigate
  • 14:04 - 14:08
    so here the first step what i did
  • 14:08 - 14:10
    i collected the information from the
  • 14:10 - 14:12
    firewall
  • 14:12 - 14:13
    i collected the information from a
  • 14:13 - 14:15
    system a b c d
  • 14:15 - 14:17
    so that is called as a data collection
  • 14:17 - 14:18
    process now here what happened we have
  • 14:18 - 14:22
    collected all type of data
  • 14:22 - 14:23
    i'm not saying i'm collecting a specific
  • 14:23 - 14:25
    type of data but i have collected the
  • 14:25 - 14:27
    all type of data
  • 14:27 - 14:29
    now second step is called as examination
  • 14:29 - 14:31
    now examination is as i said we have
  • 14:31 - 14:33
    collected all type of data but i want to
  • 14:33 - 14:37
    filter is 1.1.1.1
  • 14:37 - 14:38
    okay because from the firewall we we
  • 14:38 - 14:41
    collected 40 gb data and from all the
  • 14:41 - 14:43
    system overall we collected 40 gb data
  • 14:43 - 14:45
    but there is no need for 40 gb data to
  • 14:45 - 14:48
    work on it so i want to examine
  • 14:48 - 14:51
    so i will basically filtered only 1.1
  • 14:51 - 14:53
    data from this total 80 gb data so i
  • 14:53 - 14:56
    concluded around 2 gb of data which is
  • 14:56 - 14:59
    or 1 gb of data led to the 1.1.1 so that
  • 14:59 - 15:00
    is called as examination it means
  • 15:00 - 15:02
    examination is a process of filtering
  • 15:02 - 15:04
    out the information
  • 15:04 - 15:06
    now once the information is filtered and
  • 15:06 - 15:07
    we limit it to
  • 15:07 - 15:10
    1.1.1.logs then we try to analyze how
  • 15:10 - 15:11
    this even happen
  • 15:11 - 15:13
    okay so that is basically gold to the
  • 15:13 - 15:16
    analysis and finally we basically report
  • 15:16 - 15:18
    so each and every step we're going to
  • 15:18 - 15:20
    discuss in detail okay so step one is
  • 15:20 - 15:22
    collecting a data all type of data we
  • 15:22 - 15:25
    collect we will not miss anything
  • 15:25 - 15:27
    second step is basically called as a
  • 15:27 - 15:29
    examination i will try to correlate all
  • 15:29 - 15:32
    the data related to 1.1.1 if the data is
  • 15:32 - 15:35
    not related to the 1.1.1 i will
  • 15:35 - 15:36
    basically keep aside and then the
  • 15:36 - 15:39
    filtered data which is in the
  • 15:39 - 15:41
    examination stage on that i will do the
  • 15:41 - 15:43
    analysis to see how this entire incident
  • 15:43 - 15:44
    happened
  • 15:44 - 15:46
    and finally we basically called as a
  • 15:46 - 15:47
    reporting
  • 15:47 - 15:49
    so this is basically the parameter we
  • 15:49 - 15:50
    have so we're going to discuss each and
  • 15:50 - 15:52
    every step now in detail
  • 15:52 - 15:54
    one thing you need to remember in the
  • 15:54 - 15:56
    forensic investigation you need to work
  • 15:56 - 15:58
    strongly on the documentation so
  • 15:58 - 16:00
    documentation should be start from the
  • 16:00 - 16:02
    first phase itself
  • 16:02 - 16:03
    okay and make sure you should maintain
  • 16:03 - 16:06
    the accuracy so let's discuss each and
  • 16:06 - 16:08
    every process in detail
  • 16:08 - 16:10
    see when you're talking about first step
  • 16:10 - 16:12
    which is called as a data collection so
  • 16:12 - 16:15
    where we identifying the data source
  • 16:15 - 16:17
    and acquiring the data from them but
  • 16:17 - 16:19
    problem is that how to acquire data so
  • 16:19 - 16:22
    when you're talking about data
  • 16:22 - 16:24
    we have a two type of data team one is
  • 16:24 - 16:27
    called as a volatile
  • 16:28 - 16:32
    and one is called as a non-volatile
  • 16:35 - 16:38
    okay one is called as a volatile and one
  • 16:38 - 16:40
    is called as a non-volatile sorry for my
  • 16:40 - 16:43
    handwriting let me
  • 16:45 - 16:49
    volatile and non-volatile
  • 16:53 - 16:56
    so whenever like as i said we have a
  • 16:56 - 16:58
    system a
  • 16:59 - 17:02
    we have a system a we have a system b we
  • 17:02 - 17:04
    have a system c a
  • 17:04 - 17:05
    b and c
  • 17:05 - 17:07
    and there was a hacker remotely he was
  • 17:07 - 17:09
    able to hack into the system so always
  • 17:09 - 17:11
    remember whenever you're initiating a
  • 17:11 - 17:13
    forensic investigation
  • 17:13 - 17:15
    never ever shut down the system
  • 17:15 - 17:17
    the reason is very simple because if you
  • 17:17 - 17:19
    shut down the system
  • 17:19 - 17:22
    you might lose the last access data
  • 17:22 - 17:24
    last
  • 17:24 - 17:25
    access data which is reside in the
  • 17:25 - 17:28
    memory
  • 17:28 - 17:30
    so one thing is at first disconnect the
  • 17:30 - 17:32
    network
  • 17:32 - 17:34
    it means remove the network cable
  • 17:34 - 17:36
    and in the case of mobile forensics put
  • 17:36 - 17:38
    the phone in a airplane mode do not
  • 17:38 - 17:41
    remove the sim okay don't shut down the
  • 17:41 - 17:44
    phone remove the
  • 17:45 - 17:47
    you know enable the airplane mode
  • 17:47 - 17:48
    okay
  • 17:48 - 17:50
    some people what they do they remove the
  • 17:50 - 17:52
    sim and then they enable the airplane
  • 17:52 - 17:53
    mode if you remove the sim you might
  • 17:53 - 17:55
    lose the memory data
  • 17:55 - 17:58
    so better is keep them keep the same on
  • 17:58 - 17:59
    but
  • 17:59 - 18:01
    enable the airplane mode okay and then
  • 18:01 - 18:03
    do the investigation now when it come to
  • 18:03 - 18:05
    system here like abc was involved in the
  • 18:05 - 18:07
    ransomware attack or
  • 18:07 - 18:09
    they they were hacked remotely by the
  • 18:09 - 18:11
    hacker the first practice is remove the
  • 18:11 - 18:13
    network cable after doing an impact
  • 18:13 - 18:16
    analysis then the second important thing
  • 18:16 - 18:18
    is obtain the volatile data volatile is
  • 18:18 - 18:21
    basically mean a very sensitive data
  • 18:21 - 18:22
    very
  • 18:22 - 18:23
    um
  • 18:23 - 18:25
    it is not a static data it's a dynamic
  • 18:25 - 18:27
    data because if you shut down the system
  • 18:27 - 18:29
    you might lose this data
  • 18:29 - 18:30
    okay if you shut down the system you
  • 18:30 - 18:32
    might lose this data it's a very dynamic
  • 18:32 - 18:33
    data
  • 18:33 - 18:35
    so there is a sequence in which we need
  • 18:35 - 18:38
    to obtain the volatile data first we
  • 18:38 - 18:40
    need to dump the memory because content
  • 18:40 - 18:43
    of memory is basically include your last
  • 18:43 - 18:44
    access file
  • 18:44 - 18:46
    okay open connections and everything
  • 18:46 - 18:48
    then you have to dump the running
  • 18:48 - 18:50
    process then you dump the open file data
  • 18:50 - 18:51
    then you
  • 18:51 - 18:53
    dump the network configuration and then
  • 18:53 - 18:55
    you dump the operating system time
  • 18:55 - 18:57
    so this is the sequence we have in which
  • 18:57 - 18:59
    we need to obtain the data always
  • 18:59 - 19:01
    remember okay but non-volatile is what
  • 19:01 - 19:03
    you shut down the system and you can
  • 19:03 - 19:04
    make a ghost image of that that is
  • 19:04 - 19:06
    called as a non-volatile
  • 19:06 - 19:08
    so always remember whenever you
  • 19:08 - 19:10
    obtaining a data or collecting a data
  • 19:10 - 19:13
    first you should focus on a volatile
  • 19:13 - 19:15
    data and then you have to focus on the
  • 19:15 - 19:17
    non-volatile data
  • 19:17 - 19:19
    now you have collected all kind of
  • 19:19 - 19:20
    information
  • 19:20 - 19:21
    now second step is called as a
  • 19:21 - 19:23
    examination
  • 19:23 - 19:25
    examination is all about involving
  • 19:25 - 19:27
    assessing and extracting a relevant
  • 19:27 - 19:28
    piece of information from the collected
  • 19:28 - 19:30
    data so what we did we collected all
  • 19:30 - 19:32
    kind of information
  • 19:32 - 19:35
    but i need to focus on the particular ip
  • 19:35 - 19:36
    i need to focus on the particular
  • 19:36 - 19:39
    pattern i don't want anything else i
  • 19:39 - 19:41
    just want that important pattern
  • 19:41 - 19:44
    so i will try to extract this respective
  • 19:44 - 19:46
    eyepiece i will try to extract the
  • 19:46 - 19:48
    particular pattern of traffic and what
  • 19:48 - 19:50
    is not relevant i can ignore that so
  • 19:50 - 19:52
    that is basically called as a second
  • 19:52 - 19:54
    step which is called as a examination
  • 19:54 - 19:57
    and then once you basically examine
  • 19:57 - 19:59
    then you will basically try to do the
  • 19:59 - 20:01
    analysis how this incident happened
  • 20:01 - 20:03
    because now you have a filter data so
  • 20:03 - 20:05
    analysis should include identifying
  • 20:05 - 20:08
    people place items even and determining
  • 20:08 - 20:10
    how these elements are related to the
  • 20:10 - 20:12
    conclusion can be reached so that is
  • 20:12 - 20:15
    called as analysis and finally you
  • 20:15 - 20:17
    prepare the complete report so during a
  • 20:17 - 20:19
    reporting you will compile all the data
  • 20:19 - 20:21
    first compile all the incidents compile
  • 20:21 - 20:23
    all the correlations
  • 20:23 - 20:25
    then in the report you should include
  • 20:25 - 20:27
    the tools the tools that you have used
  • 20:27 - 20:29
    because it's very important to give the
  • 20:29 - 20:31
    information to your stakeholder how you
  • 20:31 - 20:33
    have obtained the data okay who was
  • 20:33 - 20:36
    involved in this crime who was involved
  • 20:36 - 20:37
    in this investigation what was their
  • 20:37 - 20:39
    role any issue that occurred during the
  • 20:39 - 20:41
    entire process all challenges you can
  • 20:41 - 20:43
    document in the report like one day what
  • 20:43 - 20:45
    happened i was doing an investigation of
  • 20:45 - 20:47
    a server but i was not able to access
  • 20:47 - 20:48
    directly a server
  • 20:48 - 20:50
    i was not able to access some pi data
  • 20:50 - 20:51
    because of the compliance and legal
  • 20:51 - 20:54
    regulatory requirement so i can notify
  • 20:54 - 20:55
    this in a report that because of the
  • 20:55 - 20:56
    compliance and legal regulatory
  • 20:56 - 20:58
    requirement we failed to obtain the
  • 20:58 - 20:59
    reports
  • 20:59 - 21:01
    so audience consideration need to be
  • 21:01 - 21:03
    considered if you're giving this report
  • 21:03 - 21:05
    to your technical manager definitely the
  • 21:05 - 21:07
    report will be very technical in nature
  • 21:07 - 21:08
    but if you're giving this report to the
  • 21:08 - 21:10
    senior management then remove all the
  • 21:10 - 21:12
    data and talk about only business
  • 21:12 - 21:14
    reporting should also include the
  • 21:14 - 21:16
    actionable information you know what can
  • 21:16 - 21:18
    be done in the future so many forensics
  • 21:18 - 21:20
    instant response team hold the also
  • 21:20 - 21:23
    formal review after the each major event
  • 21:23 - 21:25
    and such review tend to include the
  • 21:25 - 21:27
    serious consideration of possible
  • 21:27 - 21:29
    improvement to guideline and procedure
  • 21:29 - 21:31
    and typically at least some minor
  • 21:31 - 21:33
    changes are approved and implement after
  • 21:33 - 21:33
    the
  • 21:33 - 21:35
    each review so that is basically part of
  • 21:35 - 21:37
    the reporting
  • 21:37 - 21:39
    okay so this is the high level steps we
  • 21:39 - 21:41
    have that we follow
  • 21:41 - 21:43
    now the next thing is called as a chain
  • 21:43 - 21:45
    of custody now what is chain of custody
  • 21:45 - 21:47
    see
  • 21:47 - 21:49
    i have obtained the evidence from this
  • 21:49 - 21:52
    incident scene
  • 21:53 - 21:55
    okay i have obtained the evidence
  • 21:55 - 21:57
    from this particular scene this is the
  • 21:57 - 22:00
    crime scene like hard disk
  • 22:00 - 22:01
    data
  • 22:01 - 22:04
    systems and all that so i am pram
  • 22:05 - 22:06
    okay i have obtained this evidence from
  • 22:06 - 22:08
    this crime scene now i hand over this
  • 22:08 - 22:10
    evidence to
  • 22:10 - 22:14
    my colleague which name is couple
  • 22:14 - 22:16
    okay i couple hand over the evidence to
  • 22:16 - 22:19
    abhishar
  • 22:19 - 22:21
    okay so here what happen sequence we
  • 22:21 - 22:22
    have
  • 22:22 - 22:24
    in which we have handover and because
  • 22:24 - 22:26
    abhishar is the lawyer abhisher is
  • 22:26 - 22:28
    basically representing the forensic team
  • 22:28 - 22:29
    who going to the court and submit this
  • 22:29 - 22:31
    evidence so this is the chain we have
  • 22:31 - 22:32
    followed
  • 22:32 - 22:33
    but
  • 22:33 - 22:35
    make sure there should be one document
  • 22:35 - 22:37
    we need to maintain in which we need to
  • 22:37 - 22:38
    maintain the information about who
  • 22:38 - 22:40
    obtain the evidence who hold the
  • 22:40 - 22:42
    evidence in a current scenario and what
  • 22:42 - 22:44
    was the hash value and that document is
  • 22:44 - 22:46
    called as a chain of custody
  • 22:46 - 22:48
    chain of custody is also talk about the
  • 22:48 - 22:50
    sequence in which we have obtained the
  • 22:50 - 22:51
    evidence
  • 22:51 - 22:53
    okay whatever the first evidence we have
  • 22:53 - 22:54
    obtained that will update in the
  • 22:54 - 22:56
    document what is the second evidence we
  • 22:56 - 22:59
    have obtained document when the evidence
  • 22:59 - 23:00
    is hand over to other person that is
  • 23:00 - 23:03
    document so it document the sequence of
  • 23:03 - 23:04
    the position
  • 23:04 - 23:07
    control transfer analysis and disposal
  • 23:07 - 23:08
    of things including a physical or
  • 23:08 - 23:11
    electronic evidence an important aspect
  • 23:11 - 23:13
    of evidence recording is the
  • 23:13 - 23:15
    chain of custody so here we have item
  • 23:15 - 23:17
    one we have a hard disk we have given
  • 23:17 - 23:18
    the description model number and all
  • 23:18 - 23:19
    that
  • 23:19 - 23:21
    so it is released by prep and received
  • 23:21 - 23:22
    by
  • 23:22 - 23:24
    kapil and we're giving the comment and
  • 23:24 - 23:26
    everything so this kind of a document we
  • 23:26 - 23:28
    have which is attached with the evidence
  • 23:28 - 23:30
    and when we submit the evidence in the
  • 23:30 - 23:32
    code we need to submit this document
  • 23:32 - 23:34
    also
  • 23:34 - 23:35
    so to prove the chain of custody you
  • 23:35 - 23:37
    will need to form the detail how the
  • 23:37 - 23:39
    evidence was handled in every step of
  • 23:39 - 23:41
    the way because one thing is that to
  • 23:41 - 23:43
    testify the crime in the court evidence
  • 23:43 - 23:45
    is the only tool we have evidence is the
  • 23:45 - 23:47
    only substance we have
  • 23:47 - 23:48
    if
  • 23:48 - 23:50
    blah blah blah a person has hacked the
  • 23:50 - 23:52
    email or if the blah blah blah the
  • 23:52 - 23:54
    person send them ill to rita i need an
  • 23:54 - 23:57
    evidence for that so i went to a
  • 23:57 - 23:59
    particular system i got the camera
  • 23:59 - 24:01
    records and from there we able to
  • 24:01 - 24:03
    identify 12 15 that guy is the one who
  • 24:03 - 24:06
    sent an email so we seize the laptop we
  • 24:06 - 24:08
    see the computer of the cyber cafe we
  • 24:08 - 24:10
    took the picture of the of the camera we
  • 24:10 - 24:12
    directly opt in the records from the
  • 24:12 - 24:14
    camera these all are evidence but who
  • 24:14 - 24:16
    opt-in when obtain and when we have
  • 24:16 - 24:18
    transfer that need to document in one
  • 24:18 - 24:20
    paper and that is called as a chain of
  • 24:20 - 24:22
    custody
  • 24:22 - 24:24
    so proof chain of custody all examiner
  • 24:24 - 24:26
    need to prepare to answer the following
  • 24:26 - 24:28
    questions like proof of evidence
  • 24:28 - 24:30
    okay how did you acquire this evidence
  • 24:30 - 24:32
    when was the evidence was gathered and
  • 24:32 - 24:35
    who handled the evidence okay so that
  • 24:35 - 24:36
    that's the point we have
  • 24:36 - 24:38
    but when we talking about good evidence
  • 24:38 - 24:39
    principle
  • 24:39 - 24:42
    let me give you a very good definition
  • 24:42 - 24:43
    of what is evidence so if you go by the
  • 24:43 - 24:48
    oxford dictionary evidence is a noun
  • 24:49 - 24:52
    actually okay now example if someone has
  • 24:52 - 24:54
    physically
  • 24:54 - 24:56
    if someone has killed one person
  • 24:56 - 24:57
    okay one person has killed another
  • 24:57 - 24:59
    person so knife is the evidence
  • 24:59 - 25:02
    fingerprint on the knife is evidence
  • 25:02 - 25:03
    that is okay when it comes to the
  • 25:03 - 25:06
    general forensic investigation but when
  • 25:06 - 25:07
    it comes to a digital forensics
  • 25:07 - 25:09
    everything is data
  • 25:09 - 25:12
    okay camera records camera records ip
  • 25:12 - 25:15
    records ip belong ipa does belong to a
  • 25:15 - 25:16
    particular attacker all these are
  • 25:16 - 25:19
    basically evidence so evidence is the
  • 25:19 - 25:22
    information or sign indicating whether a
  • 25:22 - 25:25
    belief or proposition is true
  • 25:25 - 25:28
    or valid information used here to
  • 25:28 - 25:30
    establish the facts in a legal
  • 25:30 - 25:31
    investigation
  • 25:31 - 25:34
    or admissible in a testimony in the law
  • 25:34 - 25:35
    encode that is what is called as an
  • 25:35 - 25:36
    evidence
  • 25:36 - 25:38
    okay so here i will proposing my system
  • 25:38 - 25:40
    logs here i am proposing the ip log so
  • 25:40 - 25:42
    that is an evidence so evidence is the
  • 25:42 - 25:44
    information which indicate whether
  • 25:44 - 25:46
    belief or proposition is true
  • 25:46 - 25:49
    and information used to establish the
  • 25:49 - 25:51
    facts in a legal investigation or
  • 25:51 - 25:53
    admissible as a testimony in the law
  • 25:53 - 25:56
    code so question is what is our evidence
  • 25:56 - 25:58
    or what is a good evidence principle the
  • 25:58 - 25:59
    first thing is that make a copy of a
  • 25:59 - 26:00
    system
  • 26:00 - 26:02
    see never ever do the investigation or
  • 26:02 - 26:05
    live system always remember suppose we
  • 26:05 - 26:07
    have a server
  • 26:08 - 26:09
    this was the actual server which was
  • 26:09 - 26:11
    hacked so there is no point of doing a
  • 26:11 - 26:14
    live investigation on the server first
  • 26:14 - 26:17
    make a ghost copy
  • 26:18 - 26:21
    okay make a ghost copy and make a copy
  • 26:21 - 26:22
    of the system and then install the copy
  • 26:22 - 26:24
    in another system and do the
  • 26:24 - 26:25
    investigation so that is the thing so
  • 26:25 - 26:27
    question is what kind of a copy so we do
  • 26:27 - 26:29
    the bit by bit copy bit by bit copy is a
  • 26:29 - 26:32
    great copy in which it will capture your
  • 26:32 - 26:34
    deleted files it will capture your slack
  • 26:34 - 26:35
    space
  • 26:35 - 26:37
    it capture your all the unhidden files
  • 26:37 - 26:38
    and everything so we always prefer
  • 26:38 - 26:40
    whenever you creating a copy of any
  • 26:40 - 26:42
    server copy of any desktop go for the
  • 26:42 - 26:45
    bit by bit basis not a file by file
  • 26:45 - 26:46
    basis
  • 26:46 - 26:48
    and the media in which you're making a
  • 26:48 - 26:50
    ghost image making a copy of the system
  • 26:50 - 26:52
    that should have a right blocker that
  • 26:52 - 26:56
    should have a right blocker disk
  • 26:56 - 26:57
    write
  • 26:57 - 26:58
    blocker
  • 26:58 - 26:59
    disk
  • 26:59 - 27:01
    make sure secure the original and work
  • 27:01 - 27:03
    on the copy and document everything
  • 27:03 - 27:06
    whether small too small or big to big
  • 27:06 - 27:08
    and do your best to collect data in an
  • 27:08 - 27:10
    order of volatility which we discussed
  • 27:10 - 27:12
    right first we dump the memory data then
  • 27:12 - 27:14
    network connections and all that so that
  • 27:14 - 27:16
    is a good evidence principle we have
  • 27:16 - 27:18
    so whenever you drive any kind of
  • 27:18 - 27:20
    investigation strategy we have some
  • 27:20 - 27:22
    parameters to be understand the first is
  • 27:22 - 27:24
    that understand the investigation
  • 27:24 - 27:26
    objectives and timeline there are a lot
  • 27:26 - 27:28
    of investigators okay what they do when
  • 27:28 - 27:30
    they drive any kind of investigation
  • 27:30 - 27:32
    without doing any analysis they start
  • 27:32 - 27:33
    the investigation they don't understand
  • 27:33 - 27:35
    the intent of the crime they don't
  • 27:35 - 27:36
    understand the motive of the hacker they
  • 27:36 - 27:38
    don't understand the
  • 27:38 - 27:40
    purpose of the crime so it is very
  • 27:40 - 27:41
    important whenever you plan your
  • 27:41 - 27:43
    investigation understand the objectives
  • 27:43 - 27:45
    what is your timeline what is the intent
  • 27:45 - 27:47
    okay second is make the list of
  • 27:47 - 27:49
    resources that you want for the
  • 27:49 - 27:50
    investigation
  • 27:50 - 27:52
    according to the skill set only take the
  • 27:52 - 27:54
    forensic investigators with you now
  • 27:54 - 27:56
    example like there was a enterprise
  • 27:56 - 27:58
    which got hacked and in that enterprise
  • 27:58 - 28:01
    they're using apple mac so we need some
  • 28:01 - 28:03
    forensic investigator who good in mac
  • 28:03 - 28:05
    there's no point of taking a windows
  • 28:05 - 28:07
    forensic investigator because we have a
  • 28:07 - 28:08
    different way to do the forensic
  • 28:08 - 28:10
    investigation in the windows we have a
  • 28:10 - 28:12
    different way of doing a forensic
  • 28:12 - 28:14
    investigation the linux we have a
  • 28:14 - 28:15
    different way to doing a forensic
  • 28:15 - 28:17
    investigation in the
  • 28:17 - 28:19
    unix or we have a different forensic
  • 28:19 - 28:20
    investigation process we have in the
  • 28:20 - 28:23
    network so make sure after understanding
  • 28:23 - 28:25
    the objective and have a clarity about
  • 28:25 - 28:27
    what is happening according to that you
  • 28:27 - 28:29
    need to plan the resource even the tools
  • 28:29 - 28:31
    is also different
  • 28:31 - 28:32
    for windows we have a great tool which
  • 28:32 - 28:34
    cannot be a good in linux we have a good
  • 28:34 - 28:36
    tools and linux which cannot be great in
  • 28:36 - 28:38
    windows so make sure you should
  • 28:38 - 28:40
    understand the things and according to
  • 28:40 - 28:42
    that plan the resources 90 of the
  • 28:42 - 28:44
    forensic teams
  • 28:44 - 28:46
    to literally miserable on the second
  • 28:46 - 28:47
    part
  • 28:47 - 28:48
    they do lot of mistake
  • 28:48 - 28:50
    third is identify the potential evidence
  • 28:50 - 28:52
    source because that is how you can able
  • 28:52 - 28:55
    to establish the crime parameters
  • 28:55 - 28:56
    hacking
  • 28:56 - 28:57
    like if the hacking initiated from a
  • 28:57 - 29:00
    particular laptop identifying ip is the
  • 29:00 - 29:01
    most important priority for us at the
  • 29:01 - 29:03
    first stage then second stage we need to
  • 29:03 - 29:06
    check who is the user who use the laptop
  • 29:06 - 29:08
    so it is very important to identify the
  • 29:08 - 29:10
    potential evidence source and make sure
  • 29:10 - 29:11
    when you're
  • 29:11 - 29:13
    looking for the evidence source look for
  • 29:13 - 29:15
    the authenticity third is estimate the
  • 29:15 - 29:17
    value and expense of getting so each
  • 29:17 - 29:19
    source of evidence it's very important i
  • 29:19 - 29:21
    got one evidence directly from a server
  • 29:21 - 29:23
    which got hacked and i got one evidence
  • 29:23 - 29:24
    which is provided by system
  • 29:24 - 29:26
    administrator definitely i will trust
  • 29:26 - 29:28
    that evidence which is directly obtained
  • 29:28 - 29:30
    from the server
  • 29:30 - 29:31
    so we need to estimate the value so
  • 29:31 - 29:33
    sometimes we have a direct evidence and
  • 29:33 - 29:35
    sometimes we have indirect evidence okay
  • 29:35 - 29:37
    like someone told me that guy was
  • 29:37 - 29:38
    sitting on the system that is called as
  • 29:38 - 29:40
    an indirect evidence but we have a
  • 29:40 - 29:42
    camera locks we talk about that day the
  • 29:42 - 29:45
    person is sit on the system and did the
  • 29:45 - 29:46
    hacking from there so that is called as
  • 29:46 - 29:48
    a direct evidence
  • 29:48 - 29:49
    prioritize your evidence gathering what
  • 29:49 - 29:51
    is the important need what is need to be
  • 29:51 - 29:53
    reviewed later so that is another
  • 29:53 - 29:55
    important thing we have
  • 29:55 - 29:57
    and make a plan for first acquisition
  • 29:57 - 29:59
    instead of directly investigating and
  • 29:59 - 30:02
    all that your 20 to 30 percent of
  • 30:02 - 30:04
    priorities in a first stage when you
  • 30:04 - 30:06
    acquiring a data because your entire
  • 30:06 - 30:08
    investigation is depending upon the
  • 30:08 - 30:11
    acquisition of a data if you acquire the
  • 30:11 - 30:12
    wrong data based on that you do the
  • 30:12 - 30:14
    wrong action based on wrong action you
  • 30:14 - 30:16
    will take the wrong decisions and the
  • 30:16 - 30:18
    wrong person will feel guilty so it's
  • 30:18 - 30:21
    very important whatever you're doing in
  • 30:21 - 30:23
    in the during a time of acquisition you
  • 30:23 - 30:24
    should be thoroughly understand the
  • 30:24 - 30:26
    things make sure you obtain the accurate
  • 30:26 - 30:27
    data
  • 30:27 - 30:29
    so this will be your investigation
  • 30:29 - 30:31
    strategy we have when you deal with any
  • 30:31 - 30:32
    kind of a crime scene
  • 30:32 - 30:34
    so now there are some technical tools
  • 30:34 - 30:36
    are basically used in a digital
  • 30:36 - 30:39
    forensics so that we're going to discuss
  • 30:39 - 30:40
    in the next part
  • 30:40 - 30:42
    okay so now we're going to discuss about
  • 30:42 - 30:44
    the different type of tools which is
  • 30:44 - 30:47
    used in the forensic additional forensic
  • 30:47 - 30:49
    investigation so one of the first tool
  • 30:49 - 30:51
    we called as a swift workstation i'm
  • 30:51 - 30:53
    sure you heard about kali linux now when
  • 30:53 - 30:56
    you install the kali linux okay in any
  • 30:56 - 30:56
    system
  • 30:56 - 30:59
    it install with multiple tools it is
  • 30:59 - 31:02
    like os right and within that os you can
  • 31:02 - 31:04
    see the multiple further pen testing or
  • 31:04 - 31:07
    secure testing tools same like swift is
  • 31:07 - 31:09
    like a workstation
  • 31:09 - 31:10
    their image is available you can
  • 31:10 - 31:12
    download you can mount you can run that
  • 31:12 - 31:15
    system and that that utilities this this
  • 31:15 - 31:16
    workstation is basically include the
  • 31:16 - 31:19
    multiple tools okay
  • 31:19 - 31:21
    so it is one of the popular one which is
  • 31:21 - 31:23
    used for a forensic investigation
  • 31:23 - 31:24
    and
  • 31:24 - 31:27
    it also consists several open source
  • 31:27 - 31:29
    instant response tools also within that
  • 31:29 - 31:31
    workstation and one of the important
  • 31:31 - 31:33
    feature of the swift
  • 31:33 - 31:35
    toolkit is that it
  • 31:35 - 31:37
    has some utilities which is used to
  • 31:37 - 31:39
    examine the raw disk
  • 31:39 - 31:40
    okay able to understand the multiple
  • 31:40 - 31:42
    file system so example we are running a
  • 31:42 - 31:44
    system a we are running a system b and
  • 31:44 - 31:46
    we are running a system c
  • 31:46 - 31:48
    so system a is running with windows
  • 31:48 - 31:49
    system b is learning with linux and
  • 31:49 - 31:52
    system c running with mac
  • 31:52 - 31:53
    each and every system is running with a
  • 31:53 - 31:55
    different file system so i installed the
  • 31:55 - 31:58
    swift workstation on this system
  • 31:58 - 32:01
    which is my laptop i'm an investigator
  • 32:01 - 32:03
    and and then i basically connect with
  • 32:03 - 32:04
    the systems and extract the data from
  • 32:04 - 32:06
    there
  • 32:06 - 32:09
    so or i can basically do boot my system
  • 32:09 - 32:11
    a boot uh this particular system with a
  • 32:11 - 32:14
    swift workstation has a live cd and i
  • 32:14 - 32:16
    can able to investigate these systems
  • 32:16 - 32:18
    easily so for me
  • 32:18 - 32:20
    investigating of a different file system
  • 32:20 - 32:22
    will not be the challenge
  • 32:22 - 32:23
    and
  • 32:23 - 32:25
    second toolkit that we using is ftk
  • 32:25 - 32:27
    which is from the company called access
  • 32:27 - 32:30
    data so that that toolkit uh one of the
  • 32:30 - 32:32
    important tool in the toolkit is called
  • 32:32 - 32:35
    as a ftk e major so when we say ftk
  • 32:35 - 32:37
    imager between that we have a system a
  • 32:37 - 32:39
    we have a system b we have a system c so
  • 32:39 - 32:41
    this was the system which is hacked
  • 32:41 - 32:42
    remotely
  • 32:42 - 32:44
    okay so i want to make a ghost copy of
  • 32:44 - 32:46
    the system i want to make a copy of the
  • 32:46 - 32:47
    system because we cannot do the
  • 32:47 - 32:50
    investigation on the live system so how
  • 32:50 - 32:52
    to do that in that case popular tool we
  • 32:52 - 32:55
    are using is ftk imager so with the help
  • 32:55 - 32:58
    of ftk imager we can able to create a
  • 32:58 - 33:00
    image of the complete system and then i
  • 33:00 - 33:03
    can basically copy that image or
  • 33:03 - 33:06
    mount that image in other system and
  • 33:06 - 33:08
    then i will do the further investigation
  • 33:08 - 33:09
    on that system so these are the one of
  • 33:09 - 33:11
    the popular tool we have
  • 33:11 - 33:13
    along with that we also have another one
  • 33:13 - 33:16
    which is called as a digital evidence
  • 33:16 - 33:18
    forensic toolkit it is a well popular in
  • 33:18 - 33:21
    that in a intelligence
  • 33:21 - 33:24
    government activities so and the reason
  • 33:24 - 33:26
    is that they have a
  • 33:26 - 33:28
    they have some tools which having a
  • 33:28 - 33:30
    capability to open the encrypted files
  • 33:30 - 33:31
    also
  • 33:31 - 33:34
    and able to recover the deleted data
  • 33:34 - 33:37
    okay so that is why it is one of the
  • 33:37 - 33:39
    popular utility we have which is
  • 33:39 - 33:42
    recommended by the different enforcement
  • 33:42 - 33:44
    agencies also okay
  • 33:44 - 33:45
    but when we dealing with the different
  • 33:45 - 33:46
    type of
  • 33:46 - 33:47
    uh
  • 33:47 - 33:50
    data okay we need to make a image of the
  • 33:50 - 33:52
    system or we have a different type of
  • 33:52 - 33:54
    extensions of the files so one of the
  • 33:54 - 33:58
    popular extensions we have is dd
  • 33:58 - 34:00
    dd called as a data duplication so it is
  • 34:00 - 34:03
    also come with a dd utility which is
  • 34:03 - 34:04
    used to copy
  • 34:04 - 34:07
    the linux system and then we can you
  • 34:07 - 34:09
    create an image and i can dump the image
  • 34:09 - 34:11
    i can mount the image in other system
  • 34:11 - 34:13
    and do the investigation so dd is
  • 34:13 - 34:14
    another
  • 34:14 - 34:16
    type of file we have then we have a aff
  • 34:16 - 34:18
    file format that is basically used in a
  • 34:18 - 34:21
    forensic investigation
  • 34:21 - 34:23
    so it is extensible open format for the
  • 34:23 - 34:24
    storage of disk image
  • 34:24 - 34:27
    and it was created to be an open and
  • 34:27 - 34:29
    extensible file format to store disk
  • 34:29 - 34:32
    image and associate metadata
  • 34:32 - 34:35
    so aff has a goal to create a disk image
  • 34:35 - 34:37
    format that would not lock the user into
  • 34:37 - 34:40
    proprietary format that may limit how or
  • 34:40 - 34:42
    she may able to analyze that and today
  • 34:42 - 34:45
    it is a preferred tool for your in
  • 34:45 - 34:47
    gathering intelligence and resolving the
  • 34:47 - 34:50
    security incident it mean if you make a
  • 34:50 - 34:52
    ghost image if you make an image in a ff
  • 34:52 - 34:53
    format suppose you make a copy of the
  • 34:53 - 34:56
    system in afa format so in that case we
  • 34:56 - 34:59
    can use this aff utility with multiple
  • 34:59 - 35:00
    forensic tools
  • 35:00 - 35:02
    we also have other different type of
  • 35:02 - 35:04
    image like raw image which is basically
  • 35:04 - 35:07
    do the bit by bit copy and the great
  • 35:07 - 35:09
    advantage of bit by bit copy it will
  • 35:09 - 35:11
    capture the entire disk
  • 35:11 - 35:13
    entire volume without any deletion or
  • 35:13 - 35:16
    add addition and raw image format was
  • 35:16 - 35:18
    used by the dd also but nowadays
  • 35:18 - 35:20
    multiple forensics application also
  • 35:20 - 35:22
    support that it mean if we have a system
  • 35:22 - 35:25
    a system b and system c when i make a
  • 35:25 - 35:27
    copy of the system and the image is raw
  • 35:27 - 35:28
    image
  • 35:28 - 35:30
    so that raw image can be used by
  • 35:30 - 35:32
    multiple forensic tool because when we
  • 35:32 - 35:34
    need to do the investigation on the
  • 35:34 - 35:35
    system definitely we are not doing an
  • 35:35 - 35:37
    investigation the live system so we
  • 35:37 - 35:39
    mount the image which is created from a
  • 35:39 - 35:42
    system and tool will read the image and
  • 35:42 - 35:44
    according to that do the investigation
  • 35:44 - 35:46
    we also have other extension like dmp
  • 35:46 - 35:50
    dump crash mem femem and mdmp so this is
  • 35:50 - 35:52
    more like a memory dump data
  • 35:52 - 35:53
    so sometime when we need to review the
  • 35:53 - 35:55
    memory and all that these are the
  • 35:55 - 35:57
    extensions in which we basically save a
  • 35:57 - 36:00
    file we also have a binary dumps for the
  • 36:00 - 36:02
    memory which called as a dot bi and dat
  • 36:02 - 36:06
    file unallocated re rec data or binary
  • 36:06 - 36:08
    so this is also is very useful when we
  • 36:08 - 36:10
    need to investigate the open files and
  • 36:10 - 36:12
    everything sometime if you want to
  • 36:12 - 36:14
    investigate the virtual machine we have
  • 36:14 - 36:16
    extension called vmdk
  • 36:16 - 36:18
    and when the ftk tool is creating image
  • 36:18 - 36:20
    they store the image in this particular
  • 36:20 - 36:21
    format
  • 36:21 - 36:24
    so this is all from my site team if you
  • 36:24 - 36:26
    find this video useful do let me know in
  • 36:26 - 36:28
    the comment box what is the next video
  • 36:28 - 36:31
    you want me to make on forensics i'm
  • 36:31 - 36:33
    very happy to receive your feedbacks by
  • 36:33 - 36:35
    which i can able to improve my video and
  • 36:35 - 36:37
    i'm sure if you're new to my channel do
  • 36:37 - 36:39
    subscribe to my channel and click on the
  • 36:39 - 36:41
    bell icon to make sure you should not
  • 36:41 - 36:43
    miss my future videos on a similar topic
  • 36:43 - 36:45
    and do let me know in the comment box
  • 36:45 - 36:48
    what are the top popular forensic tools
  • 36:48 - 36:49
    from your point of view which can be
  • 36:49 - 36:51
    used for a forensic investigation apart
  • 36:51 - 36:53
    from what is mentioned in the slides
  • 36:53 - 36:55
    thank you for watching my video
  • 36:55 - 36:59
    bye take care
Title:
Introduction to Digital Forensics - Learn the Basics
Description:

more » « less
Video Language:
English
Duration:
36:58

English subtitles

Revisions Compare revisions