Introduction to Digital Forensics - Learn the Basics

Rollback to version 1

0:00 - 0:07

[Music]
0:07 - 0:09

hello team welcome to my session on
0:09 - 0:11

coffee with prab and today we're going
0:11 - 0:15

to discuss about digital forensics yes
0:15 - 0:17

it is one of the
0:17 - 0:18

a great career perspective for the
0:18 - 0:20

information security professional so i
0:20 - 0:23

thought i will make one video on digital
0:23 - 0:25

forensics i am planning to make more
0:25 - 0:27

videos on digital forensics in future
0:27 - 0:29

where i am going to discuss about some
0:29 - 0:31

cases so if you're new to my channel do
0:31 - 0:33

subscribe to my youtube channel and
0:33 - 0:35

click on the bell icon to make sure you
0:35 - 0:37

should not miss my future videos on a
0:37 - 0:38

similar topic
0:38 - 0:40

my name is prabhnayar for more
0:40 - 0:42

information you can refer my linkedin
0:42 - 0:45

profile so without wasting a time let's
0:45 - 0:47

start with the first part
0:47 - 0:50

so instead of starting with what is
0:50 - 0:52

forensics or digital forensics i thought
0:52 - 0:55

let me give you a first brief idea about
0:55 - 0:57

cyber crime okay so when we say word
0:57 - 0:58

cyber
0:58 - 1:00

and when we say the word crime what is
1:00 - 1:01

that
1:01 - 1:03

when you're talking about cyber cyber is
1:03 - 1:06

a is a concept of you know cyber is
1:06 - 1:08

relating to or characteristics of the
1:08 - 1:10

culture of computers
1:10 - 1:12

information technology and virtual
1:12 - 1:14

reality so cyber is related to the
1:14 - 1:17

network cyber is related to the systems
1:17 - 1:19

and crime is basically called as an
1:19 - 1:22

action or omission which constitutes an
1:22 - 1:23

offense
1:23 - 1:26

so where computer is involved in
1:26 - 1:30

committing a crime a computer was used
1:30 - 1:32

to committing a crime that is basically
1:32 - 1:34

called as a cyber crime so we have a
1:34 - 1:36

different kind of an expertise who
1:36 - 1:38

involved in the cyber crime
1:38 - 1:40

investigation in layman i can say
1:40 - 1:42

suppose there is a candidate name is
1:42 - 1:45

rita
1:45 - 1:49

one day she received a threatening email
1:49 - 1:51

that okay i will kill you
1:51 - 1:53

okay or i will
1:53 - 1:56

do something bad so this kind of a email
1:56 - 1:59

rita received now rita what she did she
1:59 - 2:03

report that issue to the police
2:03 - 2:05

now what police did police basically
2:05 - 2:09

contact the cyber team
2:10 - 2:12

and cyber team basically investigated
2:12 - 2:14

the email from where the email comes
2:14 - 2:17

what is the iep address of the email
2:17 - 2:19

what is the source what is the details
2:19 - 2:21

so here what happened the computer and
2:21 - 2:24

their associate details artifacts has
2:24 - 2:26

been used to identify who sent the
2:26 - 2:28

threatening email to rita
2:28 - 2:30

see here the rita has not received any
2:30 - 2:33

kind of physical threat okay it mean
2:33 - 2:34

that the person is not standing outside
2:34 - 2:37

the gate and threatening rita
2:37 - 2:39

she receive an email which is also an
2:39 - 2:41

electronic email it is not a postal
2:41 - 2:43

email it is an electronic email which
2:43 - 2:47

she receive on an email or in a mailbox
2:47 - 2:49

so based on the data
2:49 - 2:51

which is received by rita we have
2:51 - 2:54

investigated where we identify what can
2:54 - 2:56

be the sender
2:56 - 2:58

who is the sender from which ip address
2:58 - 3:00

this email come then we contact that
3:00 - 3:02

server then from the server we identify
3:02 - 3:04

the mail has been sent from this
3:04 - 3:06

particular ip then we went to that
3:06 - 3:07

system
3:07 - 3:09

but problem is that that system is used
3:09 - 3:10

by multiple people then we check the
3:10 - 3:13

camera from the camera we identify on
3:13 - 3:15

that particular time who was sitting on
3:15 - 3:17

the computer then we took a picture and
3:17 - 3:19

this is how we have invest he can
3:19 - 3:22

identify who sent an email to rita
3:22 - 3:23

okay so this is basically where the
3:23 - 3:25

computer has been used to identify and
3:25 - 3:27

track because in this particular
3:27 - 3:28

condition
3:28 - 3:31

computer was used as a tool to commit a
3:31 - 3:32

crime
3:32 - 3:33

okay
3:33 - 3:34

so that is called as a cyber crime so
3:34 - 3:37

when we talking about cyber
3:37 - 3:39

crime it has a two perspective
3:39 - 3:41

so in this this in cyber crime the
3:41 - 3:43

computers are basically involved to
3:43 - 3:45

compete com uh to commit the crime so
3:45 - 3:47

question is how one condition is
3:47 - 3:50

computer is a target now example we have
3:50 - 3:52

a company which is running a very
3:52 - 3:54

critical servers every day from this
3:54 - 3:56

particular server we are generating a
3:56 - 3:58

thousand dollar business
3:58 - 3:59

now one of our
3:59 - 4:02

enemies or one of our competitors they
4:02 - 4:04

hire hackers and they basically try to
4:04 - 4:06

shut down the servers because they know
4:06 - 4:08

very well if the server is basically
4:08 - 4:10

down it will impact the business it is
4:10 - 4:11

actually a crime
4:11 - 4:13

because what you're doing here is you
4:13 - 4:15

are manipulating my servers you shutting
4:15 - 4:16

down my servers and which impact my
4:16 - 4:18

business and it is a loss of money for
4:18 - 4:22

me so here in a cyber crime computer was
4:22 - 4:24

used as a target okay so in this case
4:24 - 4:27

they have targeted my server now here
4:27 - 4:29

what happened hacker also using his
4:29 - 4:30

computer
4:30 - 4:32

in which he using a tool to perform the
4:32 - 4:34

attack so here the computer was used as
4:34 - 4:37

a mechanism so that is why in the cyber
4:37 - 4:39

crime we say that computer as a target
4:39 - 4:41

where i'm targeting a computer to hack
4:41 - 4:44

the computer and computer as i use it
4:44 - 4:45

mean i am using my laptop to commit a
4:45 - 4:46

crime
4:46 - 4:48

so that is basically usage of cyber
4:48 - 4:51

crime now in the cyber crime as if you
4:51 - 4:52

go by the process we have a multiple
4:52 - 4:54

type of cyber crime but here i have
4:54 - 4:56

categorized the cyber crime into three
4:56 - 4:58

category one is called as a cyber tree
4:58 - 5:01

pass trespass second is basically called
5:01 - 5:03

as a cyber deception and third is
5:03 - 5:06

basically called as a cyber violence so
5:06 - 5:08

first is basically called as a cyber
5:08 - 5:10

trespass so cyber trespass is basically
5:10 - 5:12

referred to act of crossing the
5:12 - 5:14

boundaries of ownership in online
5:14 - 5:16

environment or connect
5:16 - 5:18

with the unauthorized network one
5:18 - 5:20

example i can give you so this is
5:20 - 5:24

basically the wi-fi shop we have
5:25 - 5:27

coffee shop sorry
5:27 - 5:29

this is the coffee shop we have okay i
5:29 - 5:31

want to commit i want to send a
5:31 - 5:33

threatening email to rita definitely if
5:33 - 5:36

i use my house ip or if i use my house
5:36 - 5:37

internet to send an email they can able
5:37 - 5:40

to track the mail came from prep
5:40 - 5:43

now what happened i went to coffee shop
5:43 - 5:45

okay i took one coffee
5:45 - 5:47

and they have a wi-fi but they are not
5:47 - 5:49

sharing me the username password so i
5:49 - 5:52

basically try to hack the wi-fi network
5:52 - 5:54

use a wi-fi network to send an email so
5:54 - 5:56

here i have used some other organization
5:56 - 5:58

wi-fi and through that i was trying to
5:58 - 6:00

hack so that is called as a cyber
6:00 - 6:01

trespass
6:01 - 6:03

second is called as a cyber deception
6:03 - 6:05

cyber deception is basically like a
6:05 - 6:07

phishing where i'm sending a phishing
6:07 - 6:09

email to you know collect more and more
6:09 - 6:10

information about the user like i sent
6:10 - 6:12

you a phishing email hey you want the
6:12 - 6:14

lottery and to claim the lottery you
6:14 - 6:15

need to share your account details and
6:15 - 6:18

other information so here what happened
6:18 - 6:20

i have collected your information so
6:20 - 6:22

that is called as a cyber deception and
6:22 - 6:24

third is called as a cyber violence now
6:24 - 6:26

i want to promote uh
6:26 - 6:28

some social message i want to promote
6:28 - 6:30

some economic message okay i want to
6:30 - 6:32

promote some religious message so i know
6:32 - 6:34

facebook server yahoo server google
6:34 - 6:37

server is basically receive huge traffic
6:37 - 6:39

so we hack into those servers and we
6:39 - 6:41

promote our social economic message that
6:41 - 6:43

is why sometime you notice whenever you
6:43 - 6:44

try to browse some website it will
6:44 - 6:46

redirect to some kind of a social and
6:46 - 6:49

economic message websites okay so that
6:49 - 6:51

is basically called as a cyber violence
6:51 - 6:53

where i have my intention to disrupt the
6:53 - 6:56

society i have interim should interrupt
6:56 - 6:58

i have an intention to compromise the
6:58 - 6:59

society
6:59 - 7:01

okay like example we have a
7:01 - 7:04

scada plant we have a
7:04 - 7:06

ics plant ic stand for industrial
7:06 - 7:08

control system okay in middle east you
7:08 - 7:11

can see in the us you can see a lot of
7:11 - 7:13

machines are controlled by the computers
7:13 - 7:15

okay so here what we did is we hacked
7:15 - 7:17

into the computer networks
7:17 - 7:19

okay and by which we had disrupt their
7:19 - 7:20

power plants we disrupt their water
7:20 - 7:23

plant okay live example is i hack into
7:23 - 7:24

one water plant
7:24 - 7:26

okay remotely and i increase the
7:26 - 7:28

chlorine level of the water which
7:28 - 7:30

basically create more poison which is
7:30 - 7:32

not very in uh it is where it becomes
7:32 - 7:34

very injurious for the person to drink
7:34 - 7:36

so this is how i basically perform the
7:36 - 7:39

cyber violence so summary is that using
7:39 - 7:41

someone's wi-fi use a wi-fi and access
7:41 - 7:43

the things that is called cyber trespass
7:43 - 7:45

cyber deception is basically a phishing
7:45 - 7:47

campaign
7:47 - 7:49

and cyber violence is basically where we
7:49 - 7:51

are disrupting the networks disrupting
7:51 - 7:53

the things and it is lead to also
7:53 - 7:55

someone human life that's like dos
7:55 - 7:57

attack and ddos attack that is part of
7:57 - 7:59

the cyber violence
7:59 - 8:01

so now we're going to discuss about the
8:01 - 8:03

introduction of the digital forensics
8:03 - 8:05

because we hire forensic investigators
8:05 - 8:08

we hire a specialized officers who
8:08 - 8:11

investigate who perform this attack how
8:11 - 8:14

this attack happen and and
8:14 - 8:16

who can be the target what is the motive
8:16 - 8:18

for them so we have a dedicated team
8:18 - 8:20

okay in every every country there is a
8:20 - 8:22

dedicated team who involved in
8:22 - 8:24

investigating such kind of a computer's
8:24 - 8:27

crime and that is called as a forensic
8:27 - 8:29

investigator and that is my agenda in
8:29 - 8:31

this particular session so let's start
8:31 - 8:32

with the introduction of digital
8:32 - 8:34

forensics
8:34 - 8:35

okay
8:35 - 8:37

so what is
8:37 - 8:39

digital forensics so when you're talking
8:39 - 8:40

about digital and forensic it means
8:40 - 8:43

doing an investigation for a digital
8:43 - 8:44

stuff
8:44 - 8:46

so even you go by the definition digital
8:46 - 8:48

forensics is a part of forensic science
8:48 - 8:51

that focus on identifying acquiring
8:51 - 8:54

processing analyzing and reporting on
8:54 - 8:56

data stored electronically as i said
8:56 - 8:59

when rita
8:59 - 9:03

she receive an email
9:03 - 9:05

so first we have contact rita and ask
9:05 - 9:07

for the email
9:07 - 9:09

and we have identify the email content
9:09 - 9:11

we identify the email header and from
9:11 - 9:13

there we got a high level information
9:13 - 9:17

from which domain the email comes
9:17 - 9:19

what is the ip addresso server and what
9:19 - 9:21

is the primary location then we have
9:21 - 9:23

basically contacted that particular
9:23 - 9:25

companies and contacted and checked
9:25 - 9:27

those servers from where the mail has
9:27 - 9:29

been sent and from there we got ip that
9:29 - 9:31

was a sender ip was at this particular
9:31 - 9:34

host ip so here what happened we are
9:34 - 9:36

identifying the electronic information
9:36 - 9:38

because if you're talking about general
9:38 - 9:40

forensic investigation if someone has
9:40 - 9:41

killed someone
9:41 - 9:43

so we physically go there and collect
9:43 - 9:45

the evidence physical evidence but here
9:45 - 9:48

everything is digital you cannot touch
9:48 - 9:50

that it is a logical email you cannot
9:50 - 9:52

touch email is additional data
9:52 - 9:54

okay so you have to use specialized
9:54 - 9:56

tools to extract the email understand
9:56 - 9:58

the data you need to contact the server
9:58 - 9:59

from where we have sent an email we have
9:59 - 10:02

to contact that so here we are basically
10:02 - 10:03

fighting with the systems we are not
10:03 - 10:05

fighting with the person
10:05 - 10:07

here we are not identifying on a first
10:07 - 10:10

stage who which person did that we are
10:10 - 10:12

identifying which system was basically
10:12 - 10:14

used to perform this crime because once
10:14 - 10:16

we identify the system we will get the
10:16 - 10:19

system owner details or the system user
10:19 - 10:20

details you're getting a point so if the
10:20 - 10:22

mail has been sent from cyber cafe at 10
10:22 - 10:25

15 but that system was used by multiple
10:25 - 10:27

people right so from there we will
10:27 - 10:29

involve the camera in the camera it will
10:29 - 10:31

capture the digital data that at 10 15
10:31 - 10:32

which person was sitting on that
10:32 - 10:35

particular system then we will basically
10:35 - 10:36

contact the person
10:36 - 10:38

and find out okay why you send this
10:38 - 10:40

email so here the everything is digital
10:40 - 10:42

that is why they say identifying the
10:42 - 10:43

digital data
10:43 - 10:45

okay acquiring the digital data
10:45 - 10:47

processing the data for the correlation
10:47 - 10:49

then analyzing the value and then
10:49 - 10:51

according to that we do the final report
10:51 - 10:54

but we have a different type of digital
10:54 - 10:56

forensics like we have a computer
10:56 - 10:58

forensics like there was a computer was
10:58 - 11:01

hacked so we identify who hacked that so
11:01 - 11:03

there is an investigation involved in
11:03 - 11:05

computer aspect there was a mobile has
11:05 - 11:06

been used
11:06 - 11:08

for the threatening the mobile has been
11:08 - 11:10

used for sending a whatsapp message the
11:10 - 11:12

mobile was involved in uh giving a
11:12 - 11:14

threatening call so we have investigated
11:14 - 11:16

the mobiles and identified data from
11:16 - 11:17

there
11:17 - 11:18

then we have a network forensics someone
11:18 - 11:20

is basically doing multiple attacks on
11:20 - 11:22

the networks so we are dumping the
11:22 - 11:24

firewall locks we are identifying the
11:24 - 11:27

ids locks intrusion detection systems
11:27 - 11:28

from there we get a visibility what kind
11:28 - 11:30

of a traffic is coming in the network
11:30 - 11:32

from where which is a source is involved
11:32 - 11:35

so that is called as a network forensics
11:35 - 11:37

and last but not the least we have a
11:37 - 11:38

hardware forensics example like we
11:38 - 11:40

purchase some hardware devices like it
11:40 - 11:43

can be my mobile as a hardware device
11:43 - 11:45

okay router as a hardware device a
11:45 - 11:47

system as a hardware device so sometime
11:47 - 11:48

what happened
11:48 - 11:50

sometime it's sometime it's possible
11:50 - 11:52

that okay uh you know
11:52 - 11:55

vendor basically embodied a malware in
11:55 - 11:57

that sometime the user embedding some
11:57 - 12:00

kind of a trojan in the hardware so we
12:00 - 12:01

are trying to investigate is this
12:01 - 12:03

hardware is compromised
12:03 - 12:04

okay
12:04 - 12:06

because there is a possibility of
12:06 - 12:07

hardware is basically compromised then
12:07 - 12:09

it is a concern for us might be someone
12:09 - 12:12

has given me one one device with enable
12:12 - 12:13

with some mic and all that so we need to
12:13 - 12:15

investigate it is someone has stamped or
12:15 - 12:18

something else so we have a digital
12:18 - 12:22

different type of digital forensics okay
12:22 - 12:24

so this is the introduction we have so
12:24 - 12:26

now we're going to understand about the
12:26 - 12:29

forensic investigation process
12:29 - 12:31

so on a high level different different
12:31 - 12:32

books
12:32 - 12:34

talk about different different forensic
12:34 - 12:36

investigation process
12:36 - 12:38

so here i have categorized that forensic
12:38 - 12:41

process in a four stages the first stage
12:41 - 12:43

is collection second is called as
12:43 - 12:45

examination third is called as analysis
12:45 - 12:47

and fourth is called as a reporting let
12:47 - 12:49

me give an example
12:49 - 12:53

so suppose this is my internet
12:57 - 12:59

okay
13:01 - 13:04

there is a firewall
13:06 - 13:09

and we have a switch
13:14 - 13:17

we have a system a
13:17 - 13:20

we have a system b
13:20 - 13:23

we have a system c
13:23 - 13:26

and we have a system d
13:27 - 13:31

now there is a ip called 1.1.1.1
13:31 - 13:35

it is attacker ip
13:38 - 13:41

this ip was able to bypass the firewall
13:41 - 13:44

and it attack system a it attacks system
13:44 - 13:47

b it attacks system c and attack system
13:47 - 13:48

d
13:48 - 13:50

so we got this confirmation that there
13:50 - 13:52

was ip was able to penetrate into the
13:52 - 13:54

firewall and able to hack into the
13:54 - 13:56

internal network and he was able to or
13:56 - 13:58

she was able to hack the ip or the
13:58 - 14:00

particular hacker was able to hack into
14:00 - 14:03

the multiple system
14:03 - 14:04

so i want to investigate
14:04 - 14:08

so here the first step what i did
14:08 - 14:10

i collected the information from the
14:10 - 14:12

firewall
14:12 - 14:13

i collected the information from a
14:13 - 14:15

system a b c d
14:15 - 14:17

so that is called as a data collection
14:17 - 14:18

process now here what happened we have
14:18 - 14:22

collected all type of data
14:22 - 14:23

i'm not saying i'm collecting a specific
14:23 - 14:25

type of data but i have collected the
14:25 - 14:27

all type of data
14:27 - 14:29

now second step is called as examination
14:29 - 14:31

now examination is as i said we have
14:31 - 14:33

collected all type of data but i want to
14:33 - 14:37

filter is 1.1.1.1
14:37 - 14:38

okay because from the firewall we we
14:38 - 14:41

collected 40 gb data and from all the
14:41 - 14:43

system overall we collected 40 gb data
14:43 - 14:45

but there is no need for 40 gb data to
14:45 - 14:48

work on it so i want to examine
14:48 - 14:51

so i will basically filtered only 1.1
14:51 - 14:53

data from this total 80 gb data so i
14:53 - 14:56

concluded around 2 gb of data which is
14:56 - 14:59

or 1 gb of data led to the 1.1.1 so that
14:59 - 15:00

is called as examination it means
15:00 - 15:02

examination is a process of filtering
15:02 - 15:04

out the information
15:04 - 15:06

now once the information is filtered and
15:06 - 15:07

we limit it to
15:07 - 15:10

1.1.1.logs then we try to analyze how
15:10 - 15:11

this even happen
15:11 - 15:13

okay so that is basically gold to the
15:13 - 15:16

analysis and finally we basically report
15:16 - 15:18

so each and every step we're going to
15:18 - 15:20

discuss in detail okay so step one is
15:20 - 15:22

collecting a data all type of data we
15:22 - 15:25

collect we will not miss anything
15:25 - 15:27

second step is basically called as a
15:27 - 15:29

examination i will try to correlate all
15:29 - 15:32

the data related to 1.1.1 if the data is
15:32 - 15:35

not related to the 1.1.1 i will
15:35 - 15:36

basically keep aside and then the
15:36 - 15:39

filtered data which is in the
15:39 - 15:41

examination stage on that i will do the
15:41 - 15:43

analysis to see how this entire incident
15:43 - 15:44

happened
15:44 - 15:46

and finally we basically called as a
15:46 - 15:47

reporting
15:47 - 15:49

so this is basically the parameter we
15:49 - 15:50

have so we're going to discuss each and
15:50 - 15:52

every step now in detail
15:52 - 15:54

one thing you need to remember in the
15:54 - 15:56

forensic investigation you need to work
15:56 - 15:58

strongly on the documentation so
15:58 - 16:00

documentation should be start from the
16:00 - 16:02

first phase itself
16:02 - 16:03

okay and make sure you should maintain
16:03 - 16:06

the accuracy so let's discuss each and
16:06 - 16:08

every process in detail
16:08 - 16:10

see when you're talking about first step
16:10 - 16:12

which is called as a data collection so
16:12 - 16:15

where we identifying the data source
16:15 - 16:17

and acquiring the data from them but
16:17 - 16:19

problem is that how to acquire data so
16:19 - 16:22

when you're talking about data
16:22 - 16:24

we have a two type of data team one is
16:24 - 16:27

called as a volatile
16:28 - 16:32

and one is called as a non-volatile
16:35 - 16:38

okay one is called as a volatile and one
16:38 - 16:40

is called as a non-volatile sorry for my
16:40 - 16:43

handwriting let me
16:45 - 16:49

volatile and non-volatile
16:53 - 16:56

so whenever like as i said we have a
16:56 - 16:58

system a
16:59 - 17:02

we have a system a we have a system b we
17:02 - 17:04

have a system c a
17:04 - 17:05

b and c
17:05 - 17:07

and there was a hacker remotely he was
17:07 - 17:09

able to hack into the system so always
17:09 - 17:11

remember whenever you're initiating a
17:11 - 17:13

forensic investigation
17:13 - 17:15

never ever shut down the system
17:15 - 17:17

the reason is very simple because if you
17:17 - 17:19

shut down the system
17:19 - 17:22

you might lose the last access data
17:22 - 17:24

last
17:24 - 17:25

access data which is reside in the
17:25 - 17:28

memory
17:28 - 17:30

so one thing is at first disconnect the
17:30 - 17:32

network
17:32 - 17:34

it means remove the network cable
17:34 - 17:36

and in the case of mobile forensics put
17:36 - 17:38

the phone in a airplane mode do not
17:38 - 17:41

remove the sim okay don't shut down the
17:41 - 17:44

phone remove the
17:45 - 17:47

you know enable the airplane mode
17:47 - 17:48

okay
17:48 - 17:50

some people what they do they remove the
17:50 - 17:52

sim and then they enable the airplane
17:52 - 17:53

mode if you remove the sim you might
17:53 - 17:55

lose the memory data
17:55 - 17:58

so better is keep them keep the same on
17:58 - 17:59

but
17:59 - 18:01

enable the airplane mode okay and then
18:01 - 18:03

do the investigation now when it come to
18:03 - 18:05

system here like abc was involved in the
18:05 - 18:07

ransomware attack or
18:07 - 18:09

they they were hacked remotely by the
18:09 - 18:11

hacker the first practice is remove the
18:11 - 18:13

network cable after doing an impact
18:13 - 18:16

analysis then the second important thing
18:16 - 18:18

is obtain the volatile data volatile is
18:18 - 18:21

basically mean a very sensitive data
18:21 - 18:22

very
18:22 - 18:23

um
18:23 - 18:25

it is not a static data it's a dynamic
18:25 - 18:27

data because if you shut down the system
18:27 - 18:29

you might lose this data
18:29 - 18:30

okay if you shut down the system you
18:30 - 18:32

might lose this data it's a very dynamic
18:32 - 18:33

data
18:33 - 18:35

so there is a sequence in which we need
18:35 - 18:38

to obtain the volatile data first we
18:38 - 18:40

need to dump the memory because content
18:40 - 18:43

of memory is basically include your last
18:43 - 18:44

access file
18:44 - 18:46

okay open connections and everything
18:46 - 18:48

then you have to dump the running
18:48 - 18:50

process then you dump the open file data
18:50 - 18:51

then you
18:51 - 18:53

dump the network configuration and then
18:53 - 18:55

you dump the operating system time
18:55 - 18:57

so this is the sequence we have in which
18:57 - 18:59

we need to obtain the data always
18:59 - 19:01

remember okay but non-volatile is what
19:01 - 19:03

you shut down the system and you can
19:03 - 19:04

make a ghost image of that that is
19:04 - 19:06

called as a non-volatile
19:06 - 19:08

so always remember whenever you
19:08 - 19:10

obtaining a data or collecting a data
19:10 - 19:13

first you should focus on a volatile
19:13 - 19:15

data and then you have to focus on the
19:15 - 19:17

non-volatile data
19:17 - 19:19

now you have collected all kind of
19:19 - 19:20

information
19:20 - 19:21

now second step is called as a
19:21 - 19:23

examination
19:23 - 19:25

examination is all about involving
19:25 - 19:27

assessing and extracting a relevant
19:27 - 19:28

piece of information from the collected
19:28 - 19:30

data so what we did we collected all
19:30 - 19:32

kind of information
19:32 - 19:35

but i need to focus on the particular ip
19:35 - 19:36

i need to focus on the particular
19:36 - 19:39

pattern i don't want anything else i
19:39 - 19:41

just want that important pattern
19:41 - 19:44

so i will try to extract this respective
19:44 - 19:46

eyepiece i will try to extract the
19:46 - 19:48

particular pattern of traffic and what
19:48 - 19:50

is not relevant i can ignore that so
19:50 - 19:52

that is basically called as a second
19:52 - 19:54

step which is called as a examination
19:54 - 19:57

and then once you basically examine
19:57 - 19:59

then you will basically try to do the
19:59 - 20:01

analysis how this incident happened
20:01 - 20:03

because now you have a filter data so
20:03 - 20:05

analysis should include identifying
20:05 - 20:08

people place items even and determining
20:08 - 20:10

how these elements are related to the
20:10 - 20:12

conclusion can be reached so that is
20:12 - 20:15

called as analysis and finally you
20:15 - 20:17

prepare the complete report so during a
20:17 - 20:19

reporting you will compile all the data
20:19 - 20:21

first compile all the incidents compile
20:21 - 20:23

all the correlations
20:23 - 20:25

then in the report you should include
20:25 - 20:27

the tools the tools that you have used
20:27 - 20:29

because it's very important to give the
20:29 - 20:31

information to your stakeholder how you
20:31 - 20:33

have obtained the data okay who was
20:33 - 20:36

involved in this crime who was involved
20:36 - 20:37

in this investigation what was their
20:37 - 20:39

role any issue that occurred during the
20:39 - 20:41

entire process all challenges you can
20:41 - 20:43

document in the report like one day what
20:43 - 20:45

happened i was doing an investigation of
20:45 - 20:47

a server but i was not able to access
20:47 - 20:48

directly a server
20:48 - 20:50

i was not able to access some pi data
20:50 - 20:51

because of the compliance and legal
20:51 - 20:54

regulatory requirement so i can notify
20:54 - 20:55

this in a report that because of the
20:55 - 20:56

compliance and legal regulatory
20:56 - 20:58

requirement we failed to obtain the
20:58 - 20:59

reports
20:59 - 21:01

so audience consideration need to be
21:01 - 21:03

considered if you're giving this report
21:03 - 21:05

to your technical manager definitely the
21:05 - 21:07

report will be very technical in nature
21:07 - 21:08

but if you're giving this report to the
21:08 - 21:10

senior management then remove all the
21:10 - 21:12

data and talk about only business
21:12 - 21:14

reporting should also include the
21:14 - 21:16

actionable information you know what can
21:16 - 21:18

be done in the future so many forensics
21:18 - 21:20

instant response team hold the also
21:20 - 21:23

formal review after the each major event
21:23 - 21:25

and such review tend to include the
21:25 - 21:27

serious consideration of possible
21:27 - 21:29

improvement to guideline and procedure
21:29 - 21:31

and typically at least some minor
21:31 - 21:33

changes are approved and implement after
21:33 - 21:33

the
21:33 - 21:35

each review so that is basically part of
21:35 - 21:37

the reporting
21:37 - 21:39

okay so this is the high level steps we
21:39 - 21:41

have that we follow
21:41 - 21:43

now the next thing is called as a chain
21:43 - 21:45

of custody now what is chain of custody
21:45 - 21:47

see
21:47 - 21:49

i have obtained the evidence from this
21:49 - 21:52

incident scene
21:53 - 21:55

okay i have obtained the evidence
21:55 - 21:57

from this particular scene this is the
21:57 - 22:00

crime scene like hard disk
22:00 - 22:01

data
22:01 - 22:04

systems and all that so i am pram
22:05 - 22:06

okay i have obtained this evidence from
22:06 - 22:08

this crime scene now i hand over this
22:08 - 22:10

evidence to
22:10 - 22:14

my colleague which name is couple
22:14 - 22:16

okay i couple hand over the evidence to
22:16 - 22:19

abhishar
22:19 - 22:21

okay so here what happen sequence we
22:21 - 22:22

have
22:22 - 22:24

in which we have handover and because
22:24 - 22:26

abhishar is the lawyer abhisher is
22:26 - 22:28

basically representing the forensic team
22:28 - 22:29

who going to the court and submit this
22:29 - 22:31

evidence so this is the chain we have
22:31 - 22:32

followed
22:32 - 22:33

but
22:33 - 22:35

make sure there should be one document
22:35 - 22:37

we need to maintain in which we need to
22:37 - 22:38

maintain the information about who
22:38 - 22:40

obtain the evidence who hold the
22:40 - 22:42

evidence in a current scenario and what
22:42 - 22:44

was the hash value and that document is
22:44 - 22:46

called as a chain of custody
22:46 - 22:48

chain of custody is also talk about the
22:48 - 22:50

sequence in which we have obtained the
22:50 - 22:51

evidence
22:51 - 22:53

okay whatever the first evidence we have
22:53 - 22:54

obtained that will update in the
22:54 - 22:56

document what is the second evidence we
22:56 - 22:59

have obtained document when the evidence
22:59 - 23:00

is hand over to other person that is
23:00 - 23:03

document so it document the sequence of
23:03 - 23:04

the position
23:04 - 23:07

control transfer analysis and disposal
23:07 - 23:08

of things including a physical or
23:08 - 23:11

electronic evidence an important aspect
23:11 - 23:13

of evidence recording is the
23:13 - 23:15

chain of custody so here we have item
23:15 - 23:17

one we have a hard disk we have given
23:17 - 23:18

the description model number and all
23:18 - 23:19

that
23:19 - 23:21

so it is released by prep and received
23:21 - 23:22

by
23:22 - 23:24

kapil and we're giving the comment and
23:24 - 23:26

everything so this kind of a document we
23:26 - 23:28

have which is attached with the evidence
23:28 - 23:30

and when we submit the evidence in the
23:30 - 23:32

code we need to submit this document
23:32 - 23:34

also
23:34 - 23:35

so to prove the chain of custody you
23:35 - 23:37

will need to form the detail how the
23:37 - 23:39

evidence was handled in every step of
23:39 - 23:41

the way because one thing is that to
23:41 - 23:43

testify the crime in the court evidence
23:43 - 23:45

is the only tool we have evidence is the
23:45 - 23:47

only substance we have
23:47 - 23:48

if
23:48 - 23:50

blah blah blah a person has hacked the
23:50 - 23:52

email or if the blah blah blah the
23:52 - 23:54

person send them ill to rita i need an
23:54 - 23:57

evidence for that so i went to a
23:57 - 23:59

particular system i got the camera
23:59 - 24:01

records and from there we able to
24:01 - 24:03

identify 12 15 that guy is the one who
24:03 - 24:06

sent an email so we seize the laptop we
24:06 - 24:08

see the computer of the cyber cafe we
24:08 - 24:10

took the picture of the of the camera we
24:10 - 24:12

directly opt in the records from the
24:12 - 24:14

camera these all are evidence but who
24:14 - 24:16

opt-in when obtain and when we have
24:16 - 24:18

transfer that need to document in one
24:18 - 24:20

paper and that is called as a chain of
24:20 - 24:22

custody
24:22 - 24:24

so proof chain of custody all examiner
24:24 - 24:26

need to prepare to answer the following
24:26 - 24:28

questions like proof of evidence
24:28 - 24:30

okay how did you acquire this evidence
24:30 - 24:32

when was the evidence was gathered and
24:32 - 24:35

who handled the evidence okay so that
24:35 - 24:36

that's the point we have
24:36 - 24:38

but when we talking about good evidence
24:38 - 24:39

principle
24:39 - 24:42

let me give you a very good definition
24:42 - 24:43

of what is evidence so if you go by the
24:43 - 24:48

oxford dictionary evidence is a noun
24:49 - 24:52

actually okay now example if someone has
24:52 - 24:54

physically
24:54 - 24:56

if someone has killed one person
24:56 - 24:57

okay one person has killed another
24:57 - 24:59

person so knife is the evidence
24:59 - 25:02

fingerprint on the knife is evidence
25:02 - 25:03

that is okay when it comes to the
25:03 - 25:06

general forensic investigation but when
25:06 - 25:07

it comes to a digital forensics
25:07 - 25:09

everything is data
25:09 - 25:12

okay camera records camera records ip
25:12 - 25:15

records ip belong ipa does belong to a
25:15 - 25:16

particular attacker all these are
25:16 - 25:19

basically evidence so evidence is the
25:19 - 25:22

information or sign indicating whether a
25:22 - 25:25

belief or proposition is true
25:25 - 25:28

or valid information used here to
25:28 - 25:30

establish the facts in a legal
25:30 - 25:31

investigation
25:31 - 25:34

or admissible in a testimony in the law
25:34 - 25:35

encode that is what is called as an
25:35 - 25:36

evidence
25:36 - 25:38

okay so here i will proposing my system
25:38 - 25:40

logs here i am proposing the ip log so
25:40 - 25:42

that is an evidence so evidence is the
25:42 - 25:44

information which indicate whether
25:44 - 25:46

belief or proposition is true
25:46 - 25:49

and information used to establish the
25:49 - 25:51

facts in a legal investigation or
25:51 - 25:53

admissible as a testimony in the law
25:53 - 25:56

code so question is what is our evidence
25:56 - 25:58

or what is a good evidence principle the
25:58 - 25:59

first thing is that make a copy of a
25:59 - 26:00

system
26:00 - 26:02

see never ever do the investigation or
26:02 - 26:05

live system always remember suppose we
26:05 - 26:07

have a server
26:08 - 26:09

this was the actual server which was
26:09 - 26:11

hacked so there is no point of doing a
26:11 - 26:14

live investigation on the server first
26:14 - 26:17

make a ghost copy
26:18 - 26:21

okay make a ghost copy and make a copy
26:21 - 26:22

of the system and then install the copy
26:22 - 26:24

in another system and do the
26:24 - 26:25

investigation so that is the thing so
26:25 - 26:27

question is what kind of a copy so we do
26:27 - 26:29

the bit by bit copy bit by bit copy is a
26:29 - 26:32

great copy in which it will capture your
26:32 - 26:34

deleted files it will capture your slack
26:34 - 26:35

space
26:35 - 26:37

it capture your all the unhidden files
26:37 - 26:38

and everything so we always prefer
26:38 - 26:40

whenever you creating a copy of any
26:40 - 26:42

server copy of any desktop go for the
26:42 - 26:45

bit by bit basis not a file by file
26:45 - 26:46

basis
26:46 - 26:48

and the media in which you're making a
26:48 - 26:50

ghost image making a copy of the system
26:50 - 26:52

that should have a right blocker that
26:52 - 26:56

should have a right blocker disk
26:56 - 26:57

write
26:57 - 26:58

blocker
26:58 - 26:59

disk
26:59 - 27:01

make sure secure the original and work
27:01 - 27:03

on the copy and document everything
27:03 - 27:06

whether small too small or big to big
27:06 - 27:08

and do your best to collect data in an
27:08 - 27:10

order of volatility which we discussed
27:10 - 27:12

right first we dump the memory data then
27:12 - 27:14

network connections and all that so that
27:14 - 27:16

is a good evidence principle we have
27:16 - 27:18

so whenever you drive any kind of
27:18 - 27:20

investigation strategy we have some
27:20 - 27:22

parameters to be understand the first is
27:22 - 27:24

that understand the investigation
27:24 - 27:26

objectives and timeline there are a lot
27:26 - 27:28

of investigators okay what they do when
27:28 - 27:30

they drive any kind of investigation
27:30 - 27:32

without doing any analysis they start
27:32 - 27:33

the investigation they don't understand
27:33 - 27:35

the intent of the crime they don't
27:35 - 27:36

understand the motive of the hacker they
27:36 - 27:38

don't understand the
27:38 - 27:40

purpose of the crime so it is very
27:40 - 27:41

important whenever you plan your
27:41 - 27:43

investigation understand the objectives
27:43 - 27:45

what is your timeline what is the intent
27:45 - 27:47

okay second is make the list of
27:47 - 27:49

resources that you want for the
27:49 - 27:50

investigation
27:50 - 27:52

according to the skill set only take the
27:52 - 27:54

forensic investigators with you now
27:54 - 27:56

example like there was a enterprise
27:56 - 27:58

which got hacked and in that enterprise
27:58 - 28:01

they're using apple mac so we need some
28:01 - 28:03

forensic investigator who good in mac
28:03 - 28:05

there's no point of taking a windows
28:05 - 28:07

forensic investigator because we have a
28:07 - 28:08

different way to do the forensic
28:08 - 28:10

investigation in the windows we have a
28:10 - 28:12

different way of doing a forensic
28:12 - 28:14

investigation the linux we have a
28:14 - 28:15

different way to doing a forensic
28:15 - 28:17

investigation in the
28:17 - 28:19

unix or we have a different forensic
28:19 - 28:20

investigation process we have in the
28:20 - 28:23

network so make sure after understanding
28:23 - 28:25

the objective and have a clarity about
28:25 - 28:27

what is happening according to that you
28:27 - 28:29

need to plan the resource even the tools
28:29 - 28:31

is also different
28:31 - 28:32

for windows we have a great tool which
28:32 - 28:34

cannot be a good in linux we have a good
28:34 - 28:36

tools and linux which cannot be great in
28:36 - 28:38

windows so make sure you should
28:38 - 28:40

understand the things and according to
28:40 - 28:42

that plan the resources 90 of the
28:42 - 28:44

forensic teams
28:44 - 28:46

to literally miserable on the second
28:46 - 28:47

part
28:47 - 28:48

they do lot of mistake
28:48 - 28:50

third is identify the potential evidence
28:50 - 28:52

source because that is how you can able
28:52 - 28:55

to establish the crime parameters
28:55 - 28:56

hacking
28:56 - 28:57

like if the hacking initiated from a
28:57 - 29:00

particular laptop identifying ip is the
29:00 - 29:01

most important priority for us at the
29:01 - 29:03

first stage then second stage we need to
29:03 - 29:06

check who is the user who use the laptop
29:06 - 29:08

so it is very important to identify the
29:08 - 29:10

potential evidence source and make sure
29:10 - 29:11

when you're
29:11 - 29:13

looking for the evidence source look for
29:13 - 29:15

the authenticity third is estimate the
29:15 - 29:17

value and expense of getting so each
29:17 - 29:19

source of evidence it's very important i
29:19 - 29:21

got one evidence directly from a server
29:21 - 29:23

which got hacked and i got one evidence
29:23 - 29:24

which is provided by system
29:24 - 29:26

administrator definitely i will trust
29:26 - 29:28

that evidence which is directly obtained
29:28 - 29:30

from the server
29:30 - 29:31

so we need to estimate the value so
29:31 - 29:33

sometimes we have a direct evidence and
29:33 - 29:35

sometimes we have indirect evidence okay
29:35 - 29:37

like someone told me that guy was
29:37 - 29:38

sitting on the system that is called as
29:38 - 29:40

an indirect evidence but we have a
29:40 - 29:42

camera locks we talk about that day the
29:42 - 29:45

person is sit on the system and did the
29:45 - 29:46

hacking from there so that is called as
29:46 - 29:48

a direct evidence
29:48 - 29:49

prioritize your evidence gathering what
29:49 - 29:51

is the important need what is need to be
29:51 - 29:53

reviewed later so that is another
29:53 - 29:55

important thing we have
29:55 - 29:57

and make a plan for first acquisition
29:57 - 29:59

instead of directly investigating and
29:59 - 30:02

all that your 20 to 30 percent of
30:02 - 30:04

priorities in a first stage when you
30:04 - 30:06

acquiring a data because your entire
30:06 - 30:08

investigation is depending upon the
30:08 - 30:11

acquisition of a data if you acquire the
30:11 - 30:12

wrong data based on that you do the
30:12 - 30:14

wrong action based on wrong action you
30:14 - 30:16

will take the wrong decisions and the
30:16 - 30:18

wrong person will feel guilty so it's
30:18 - 30:21

very important whatever you're doing in
30:21 - 30:23

in the during a time of acquisition you
30:23 - 30:24

should be thoroughly understand the
30:24 - 30:26

things make sure you obtain the accurate
30:26 - 30:27

data
30:27 - 30:29

so this will be your investigation
30:29 - 30:31

strategy we have when you deal with any
30:31 - 30:32

kind of a crime scene
30:32 - 30:34

so now there are some technical tools
30:34 - 30:36

are basically used in a digital
30:36 - 30:39

forensics so that we're going to discuss
30:39 - 30:40

in the next part
30:40 - 30:42

okay so now we're going to discuss about
30:42 - 30:44

the different type of tools which is
30:44 - 30:47

used in the forensic additional forensic
30:47 - 30:49

investigation so one of the first tool
30:49 - 30:51

we called as a swift workstation i'm
30:51 - 30:53

sure you heard about kali linux now when
30:53 - 30:56

you install the kali linux okay in any
30:56 - 30:56

system
30:56 - 30:59

it install with multiple tools it is
30:59 - 31:02

like os right and within that os you can
31:02 - 31:04

see the multiple further pen testing or
31:04 - 31:07

secure testing tools same like swift is
31:07 - 31:09

like a workstation
31:09 - 31:10

their image is available you can
31:10 - 31:12

download you can mount you can run that
31:12 - 31:15

system and that that utilities this this
31:15 - 31:16

workstation is basically include the
31:16 - 31:19

multiple tools okay
31:19 - 31:21

so it is one of the popular one which is
31:21 - 31:23

used for a forensic investigation
31:23 - 31:24

and
31:24 - 31:27

it also consists several open source
31:27 - 31:29

instant response tools also within that
31:29 - 31:31

workstation and one of the important
31:31 - 31:33

feature of the swift
31:33 - 31:35

toolkit is that it
31:35 - 31:37

has some utilities which is used to
31:37 - 31:39

examine the raw disk
31:39 - 31:40

okay able to understand the multiple
31:40 - 31:42

file system so example we are running a
31:42 - 31:44

system a we are running a system b and
31:44 - 31:46

we are running a system c
31:46 - 31:48

so system a is running with windows
31:48 - 31:49

system b is learning with linux and
31:49 - 31:52

system c running with mac
31:52 - 31:53

each and every system is running with a
31:53 - 31:55

different file system so i installed the
31:55 - 31:58

swift workstation on this system
31:58 - 32:01

which is my laptop i'm an investigator
32:01 - 32:03

and and then i basically connect with
32:03 - 32:04

the systems and extract the data from
32:04 - 32:06

there
32:06 - 32:09

so or i can basically do boot my system
32:09 - 32:11

a boot uh this particular system with a
32:11 - 32:14

swift workstation has a live cd and i
32:14 - 32:16

can able to investigate these systems
32:16 - 32:18

easily so for me
32:18 - 32:20

investigating of a different file system
32:20 - 32:22

will not be the challenge
32:22 - 32:23

and
32:23 - 32:25

second toolkit that we using is ftk
32:25 - 32:27

which is from the company called access
32:27 - 32:30

data so that that toolkit uh one of the
32:30 - 32:32

important tool in the toolkit is called
32:32 - 32:35

as a ftk e major so when we say ftk
32:35 - 32:37

imager between that we have a system a
32:37 - 32:39

we have a system b we have a system c so
32:39 - 32:41

this was the system which is hacked
32:41 - 32:42

remotely
32:42 - 32:44

okay so i want to make a ghost copy of
32:44 - 32:46

the system i want to make a copy of the
32:46 - 32:47

system because we cannot do the
32:47 - 32:50

investigation on the live system so how
32:50 - 32:52

to do that in that case popular tool we
32:52 - 32:55

are using is ftk imager so with the help
32:55 - 32:58

of ftk imager we can able to create a
32:58 - 33:00

image of the complete system and then i
33:00 - 33:03

can basically copy that image or
33:03 - 33:06

mount that image in other system and
33:06 - 33:08

then i will do the further investigation
33:08 - 33:09

on that system so these are the one of
33:09 - 33:11

the popular tool we have
33:11 - 33:13

along with that we also have another one
33:13 - 33:16

which is called as a digital evidence
33:16 - 33:18

forensic toolkit it is a well popular in
33:18 - 33:21

that in a intelligence
33:21 - 33:24

government activities so and the reason
33:24 - 33:26

is that they have a
33:26 - 33:28

they have some tools which having a
33:28 - 33:30

capability to open the encrypted files
33:30 - 33:31

also
33:31 - 33:34

and able to recover the deleted data
33:34 - 33:37

okay so that is why it is one of the
33:37 - 33:39

popular utility we have which is
33:39 - 33:42

recommended by the different enforcement
33:42 - 33:44

agencies also okay
33:44 - 33:45

but when we dealing with the different
33:45 - 33:46

type of
33:46 - 33:47

uh
33:47 - 33:50

data okay we need to make a image of the
33:50 - 33:52

system or we have a different type of
33:52 - 33:54

extensions of the files so one of the
33:54 - 33:58

popular extensions we have is dd
33:58 - 34:00

dd called as a data duplication so it is
34:00 - 34:03

also come with a dd utility which is
34:03 - 34:04

used to copy
34:04 - 34:07

the linux system and then we can you
34:07 - 34:09

create an image and i can dump the image
34:09 - 34:11

i can mount the image in other system
34:11 - 34:13

and do the investigation so dd is
34:13 - 34:14

another
34:14 - 34:16

type of file we have then we have a aff
34:16 - 34:18

file format that is basically used in a
34:18 - 34:21

forensic investigation
34:21 - 34:23

so it is extensible open format for the
34:23 - 34:24

storage of disk image
34:24 - 34:27

and it was created to be an open and
34:27 - 34:29

extensible file format to store disk
34:29 - 34:32

image and associate metadata
34:32 - 34:35

so aff has a goal to create a disk image
34:35 - 34:37

format that would not lock the user into
34:37 - 34:40

proprietary format that may limit how or
34:40 - 34:42

she may able to analyze that and today
34:42 - 34:45

it is a preferred tool for your in
34:45 - 34:47

gathering intelligence and resolving the
34:47 - 34:50

security incident it mean if you make a
34:50 - 34:52

ghost image if you make an image in a ff
34:52 - 34:53

format suppose you make a copy of the
34:53 - 34:56

system in afa format so in that case we
34:56 - 34:59

can use this aff utility with multiple
34:59 - 35:00

forensic tools
35:00 - 35:02

we also have other different type of
35:02 - 35:04

image like raw image which is basically
35:04 - 35:07

do the bit by bit copy and the great
35:07 - 35:09

advantage of bit by bit copy it will
35:09 - 35:11

capture the entire disk
35:11 - 35:13

entire volume without any deletion or
35:13 - 35:16

add addition and raw image format was
35:16 - 35:18

used by the dd also but nowadays
35:18 - 35:20

multiple forensics application also
35:20 - 35:22

support that it mean if we have a system
35:22 - 35:25

a system b and system c when i make a
35:25 - 35:27

copy of the system and the image is raw
35:27 - 35:28

image
35:28 - 35:30

so that raw image can be used by
35:30 - 35:32

multiple forensic tool because when we
35:32 - 35:34

need to do the investigation on the
35:34 - 35:35

system definitely we are not doing an
35:35 - 35:37

investigation the live system so we
35:37 - 35:39

mount the image which is created from a
35:39 - 35:42

system and tool will read the image and
35:42 - 35:44

according to that do the investigation
35:44 - 35:46

we also have other extension like dmp
35:46 - 35:50

dump crash mem femem and mdmp so this is
35:50 - 35:52

more like a memory dump data
35:52 - 35:53

so sometime when we need to review the
35:53 - 35:55

memory and all that these are the
35:55 - 35:57

extensions in which we basically save a
35:57 - 36:00

file we also have a binary dumps for the
36:00 - 36:02

memory which called as a dot bi and dat
36:02 - 36:06

file unallocated re rec data or binary
36:06 - 36:08

so this is also is very useful when we
36:08 - 36:10

need to investigate the open files and
36:10 - 36:12

everything sometime if you want to
36:12 - 36:14

investigate the virtual machine we have
36:14 - 36:16

extension called vmdk
36:16 - 36:18

and when the ftk tool is creating image
36:18 - 36:20

they store the image in this particular
36:20 - 36:21

format
36:21 - 36:24

so this is all from my site team if you
36:24 - 36:26

find this video useful do let me know in
36:26 - 36:28

the comment box what is the next video
36:28 - 36:31

you want me to make on forensics i'm
36:31 - 36:33

very happy to receive your feedbacks by
36:33 - 36:35

which i can able to improve my video and
36:35 - 36:37

i'm sure if you're new to my channel do
36:37 - 36:39

subscribe to my channel and click on the
36:39 - 36:41

bell icon to make sure you should not
36:41 - 36:43

miss my future videos on a similar topic
36:43 - 36:45

and do let me know in the comment box
36:45 - 36:48

what are the top popular forensic tools
36:48 - 36:49

from your point of view which can be
36:49 - 36:51

used for a forensic investigation apart
36:51 - 36:53

from what is mentioned in the slides
36:53 - 36:55

thank you for watching my video
36:55 - 36:59

bye take care

Title:: Introduction to Digital Forensics - Learn the Basics
Description:: more » « less
Video Language:: English
Duration:: 36:58

	OEVIDEOS edited English subtitles for Introduction to Digital Forensics - Learn the Basics	Mar 5, 2025, 11:52 PM
	OEVIDEOS edited English subtitles for Introduction to Digital Forensics - Learn the Basics	Mar 5, 2025, 11:51 PM
	OEVIDEOS edited English subtitles for Introduction to Digital Forensics - Learn the Basics	Mar 5, 2025, 11:07 PM
	OEVIDEOS edited English subtitles for Introduction to Digital Forensics - Learn the Basics	Mar 5, 2025, 10:37 PM
	OEVIDEOS edited English subtitles for Introduction to Digital Forensics - Learn the Basics	Mar 5, 2025, 10:05 PM
	OEVIDEOS edited English subtitles for Introduction to Digital Forensics - Learn the Basics	Mar 5, 2025, 10:05 PM
	OEVIDEOS edited English subtitles for Introduction to Digital Forensics - Learn the Basics	Mar 5, 2025, 8:47 PM

English subtitles

Revisions Compare revisions

Revision 7 Edited

OEVIDEOS Mar 5, 2025, 11:52 PM
Revision 6 Edited

OEVIDEOS Mar 5, 2025, 11:51 PM
Revision 5 Edited

OEVIDEOS Mar 5, 2025, 11:07 PM
Revision 4 Edited

OEVIDEOS Mar 5, 2025, 10:37 PM
Revision 3 Edited

OEVIDEOS Mar 5, 2025, 10:05 PM
Revision 2 Edited

OEVIDEOS Mar 5, 2025, 10:05 PM
Revision 1 Uploaded

OEVIDEOS Mar 5, 2025, 8:47 PM

Revision Number	Author	Created
7	OEVIDEOS	Mar 5, 2025, 11:52 PM
6	OEVIDEOS	Mar 5, 2025, 11:51 PM
5	OEVIDEOS	Mar 5, 2025, 11:07 PM
4	OEVIDEOS	Mar 5, 2025, 10:37 PM
3	OEVIDEOS	Mar 5, 2025, 10:05 PM
2	OEVIDEOS	Mar 5, 2025, 10:05 PM
1	OEVIDEOS	Mar 5, 2025, 8:47 PM

Introduction to Digital Forensics - Learn the Basics

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)