< Return to Video

Introduction to Digital Forensics - Learn the Basics

  • 0:00 - 0:07
    [Music]
  • 0:07 - 0:09
    hello team welcome to my session on
  • 0:09 - 0:11
    coffee with prab and today we're going
  • 0:11 - 0:15
    to discuss about digital forensics yes
  • 0:15 - 0:17
    it is one of the
  • 0:17 - 0:18
    a great career perspective for the
  • 0:18 - 0:20
    information security professional so i
  • 0:20 - 0:23
    thought i will make one video on digital
  • 0:23 - 0:25
    forensics i am planning to make more
  • 0:25 - 0:27
    videos on digital forensics in future
  • 0:27 - 0:29
    where i am going to discuss about some
  • 0:29 - 0:31
    cases so if you're new to my channel do
  • 0:31 - 0:33
    subscribe to my youtube channel and
  • 0:33 - 0:35
    click on the bell icon to make sure you
  • 0:35 - 0:37
    should not miss my future videos on a
  • 0:37 - 0:38
    similar topic
  • 0:38 - 0:40
    my name is prabhnayar for more
  • 0:40 - 0:42
    information you can refer my linkedin
  • 0:42 - 0:45
    profile so without wasting a time let's
  • 0:45 - 0:47
    start with the first part
  • 0:47 - 0:50
    so instead of starting with what is
  • 0:50 - 0:52
    forensics or digital forensics i thought
  • 0:52 - 0:55
    let me give you a first brief idea about
  • 0:55 - 0:57
    cyber crime okay so when we say word
  • 0:57 - 0:58
    cyber
  • 0:58 - 1:00
    and when we say the word crime what is
  • 1:00 - 1:01
    that
  • 1:01 - 1:03
    when you're talking about cyber cyber is
  • 1:03 - 1:06
    a is a concept of you know cyber is
  • 1:06 - 1:08
    relating to or characteristics of the
  • 1:08 - 1:10
    culture of computers
  • 1:10 - 1:12
    information technology and virtual
  • 1:12 - 1:14
    reality so cyber is related to the
  • 1:14 - 1:17
    network cyber is related to the systems
  • 1:17 - 1:19
    and crime is basically called as an
  • 1:19 - 1:22
    action or omission which constitutes an
  • 1:22 - 1:23
    offense
  • 1:23 - 1:26
    so where computer is involved in
  • 1:26 - 1:30
    committing a crime a computer was used
  • 1:30 - 1:32
    to committing a crime that is basically
  • 1:32 - 1:34
    called as a cyber crime so we have a
  • 1:34 - 1:36
    different kind of an expertise who
  • 1:36 - 1:38
    involved in the cyber crime
  • 1:38 - 1:40
    investigation in layman i can say
  • 1:40 - 1:42
    suppose there is a candidate name is
  • 1:42 - 1:45
    rita
  • 1:45 - 1:49
    one day she received a threatening email
  • 1:49 - 1:51
    that okay i will kill you
  • 1:51 - 1:53
    okay or i will
  • 1:53 - 1:56
    do something bad so this kind of a email
  • 1:56 - 1:59
    rita received now rita what she did she
  • 1:59 - 2:03
    report that issue to the police
  • 2:03 - 2:05
    now what police did police basically
  • 2:05 - 2:09
    contact the cyber team
  • 2:10 - 2:12
    and cyber team basically investigated
  • 2:12 - 2:14
    the email from where the email comes
  • 2:14 - 2:17
    what is the iep address of the email
  • 2:17 - 2:19
    what is the source what is the details
  • 2:19 - 2:21
    so here what happened the computer and
  • 2:21 - 2:24
    their associate details artifacts has
  • 2:24 - 2:26
    been used to identify who sent the
  • 2:26 - 2:28
    threatening email to rita
  • 2:28 - 2:30
    see here the rita has not received any
  • 2:30 - 2:33
    kind of physical threat okay it mean
  • 2:33 - 2:34
    that the person is not standing outside
  • 2:34 - 2:37
    the gate and threatening rita
  • 2:37 - 2:39
    she receive an email which is also an
  • 2:39 - 2:41
    electronic email it is not a postal
  • 2:41 - 2:43
    email it is an electronic email which
  • 2:43 - 2:47
    she receive on an email or in a mailbox
  • 2:47 - 2:49
    so based on the data
  • 2:49 - 2:51
    which is received by rita we have
  • 2:51 - 2:54
    investigated where we identify what can
  • 2:54 - 2:56
    be the sender
  • 2:56 - 2:58
    who is the sender from which ip address
  • 2:58 - 3:00
    this email come then we contact that
  • 3:00 - 3:02
    server then from the server we identify
  • 3:02 - 3:04
    the mail has been sent from this
  • 3:04 - 3:06
    particular ip then we went to that
  • 3:06 - 3:07
    system
  • 3:07 - 3:09
    but problem is that that system is used
  • 3:09 - 3:10
    by multiple people then we check the
  • 3:10 - 3:13
    camera from the camera we identify on
  • 3:13 - 3:15
    that particular time who was sitting on
  • 3:15 - 3:17
    the computer then we took a picture and
  • 3:17 - 3:19
    this is how we have invest he can
  • 3:19 - 3:22
    identify who sent an email to rita
  • 3:22 - 3:23
    okay so this is basically where the
  • 3:23 - 3:25
    computer has been used to identify and
  • 3:25 - 3:27
    track because in this particular
  • 3:27 - 3:28
    condition
  • 3:28 - 3:31
    computer was used as a tool to commit a
  • 3:31 - 3:32
    crime
  • 3:32 - 3:33
    okay
  • 3:33 - 3:34
    so that is called as a cyber crime so
  • 3:34 - 3:37
    when we talking about cyber
  • 3:37 - 3:39
    crime it has a two perspective
  • 3:39 - 3:41
    so in this this in cyber crime the
  • 3:41 - 3:43
    computers are basically involved to
  • 3:43 - 3:45
    compete com uh to commit the crime so
  • 3:45 - 3:47
    question is how one condition is
  • 3:47 - 3:50
    computer is a target now example we have
  • 3:50 - 3:52
    a company which is running a very
  • 3:52 - 3:54
    critical servers every day from this
  • 3:54 - 3:56
    particular server we are generating a
  • 3:56 - 3:58
    thousand dollar business
  • 3:58 - 3:59
    now one of our
  • 3:59 - 4:02
    enemies or one of our competitors they
  • 4:02 - 4:04
    hire hackers and they basically try to
  • 4:04 - 4:06
    shut down the servers because they know
  • 4:06 - 4:08
    very well if the server is basically
  • 4:08 - 4:10
    down it will impact the business it is
  • 4:10 - 4:11
    actually a crime
  • 4:11 - 4:13
    because what you're doing here is you
  • 4:13 - 4:15
    are manipulating my servers you shutting
  • 4:15 - 4:16
    down my servers and which impact my
  • 4:16 - 4:18
    business and it is a loss of money for
  • 4:18 - 4:22
    me so here in a cyber crime computer was
  • 4:22 - 4:24
    used as a target okay so in this case
  • 4:24 - 4:27
    they have targeted my server now here
  • 4:27 - 4:29
    what happened hacker also using his
  • 4:29 - 4:30
    computer
  • 4:30 - 4:32
    in which he using a tool to perform the
  • 4:32 - 4:34
    attack so here the computer was used as
  • 4:34 - 4:37
    a mechanism so that is why in the cyber
  • 4:37 - 4:39
    crime we say that computer as a target
  • 4:39 - 4:41
    where i'm targeting a computer to hack
  • 4:41 - 4:44
    the computer and computer as i use it
  • 4:44 - 4:45
    mean i am using my laptop to commit a
  • 4:45 - 4:46
    crime
  • 4:46 - 4:48
    so that is basically usage of cyber
  • 4:48 - 4:51
    crime now in the cyber crime as if you
  • 4:51 - 4:52
    go by the process we have a multiple
  • 4:52 - 4:54
    type of cyber crime but here i have
  • 4:54 - 4:56
    categorized the cyber crime into three
  • 4:56 - 4:58
    category one is called as a cyber tree
  • 4:58 - 5:01
    pass trespass second is basically called
  • 5:01 - 5:03
    as a cyber deception and third is
  • 5:03 - 5:06
    basically called as a cyber violence so
  • 5:06 - 5:08
    first is basically called as a cyber
  • 5:08 - 5:10
    trespass so cyber trespass is basically
  • 5:10 - 5:12
    referred to act of crossing the
  • 5:12 - 5:14
    boundaries of ownership in online
  • 5:14 - 5:16
    environment or connect
  • 5:16 - 5:18
    with the unauthorized network one
  • 5:18 - 5:20
    example i can give you so this is
  • 5:20 - 5:24
    basically the wi-fi shop we have
  • 5:25 - 5:27
    coffee shop sorry
  • 5:27 - 5:29
    this is the coffee shop we have okay i
  • 5:29 - 5:31
    want to commit i want to send a
  • 5:31 - 5:33
    threatening email to rita definitely if
  • 5:33 - 5:36
    i use my house ip or if i use my house
  • 5:36 - 5:37
    internet to send an email they can able
  • 5:37 - 5:40
    to track the mail came from prep
  • 5:40 - 5:43
    now what happened i went to coffee shop
  • 5:43 - 5:45
    okay i took one coffee
  • 5:45 - 5:47
    and they have a wi-fi but they are not
  • 5:47 - 5:49
    sharing me the username password so i
  • 5:49 - 5:52
    basically try to hack the wi-fi network
  • 5:52 - 5:54
    use a wi-fi network to send an email so
  • 5:54 - 5:56
    here i have used some other organization
  • 5:56 - 5:58
    wi-fi and through that i was trying to
  • 5:58 - 6:00
    hack so that is called as a cyber
  • 6:00 - 6:01
    trespass
  • 6:01 - 6:03
    second is called as a cyber deception
  • 6:03 - 6:05
    cyber deception is basically like a
  • 6:05 - 6:07
    phishing where i'm sending a phishing
  • 6:07 - 6:09
    email to you know collect more and more
  • 6:09 - 6:10
    information about the user like i sent
  • 6:10 - 6:12
    you a phishing email hey you want the
  • 6:12 - 6:14
    lottery and to claim the lottery you
  • 6:14 - 6:15
    need to share your account details and
  • 6:15 - 6:18
    other information so here what happened
  • 6:18 - 6:20
    i have collected your information so
  • 6:20 - 6:22
    that is called as a cyber deception and
  • 6:22 - 6:24
    third is called as a cyber violence now
  • 6:24 - 6:26
    i want to promote uh
  • 6:26 - 6:28
    some social message i want to promote
  • 6:28 - 6:30
    some economic message okay i want to
  • 6:30 - 6:32
    promote some religious message so i know
  • 6:32 - 6:34
    facebook server yahoo server google
  • 6:34 - 6:37
    server is basically receive huge traffic
  • 6:37 - 6:39
    so we hack into those servers and we
  • 6:39 - 6:41
    promote our social economic message that
  • 6:41 - 6:43
    is why sometime you notice whenever you
  • 6:43 - 6:44
    try to browse some website it will
  • 6:44 - 6:46
    redirect to some kind of a social and
  • 6:46 - 6:49
    economic message websites okay so that
  • 6:49 - 6:51
    is basically called as a cyber violence
  • 6:51 - 6:53
    where i have my intention to disrupt the
  • 6:53 - 6:56
    society i have interim should interrupt
  • 6:56 - 6:58
    i have an intention to compromise the
  • 6:58 - 6:59
    society
  • 6:59 - 7:01
    okay like example we have a
  • 7:01 - 7:04
    scada plant we have a
  • 7:04 - 7:06
    ics plant ic stand for industrial
  • 7:06 - 7:08
    control system okay in middle east you
  • 7:08 - 7:11
    can see in the us you can see a lot of
  • 7:11 - 7:13
    machines are controlled by the computers
  • 7:13 - 7:15
    okay so here what we did is we hacked
  • 7:15 - 7:17
    into the computer networks
  • 7:17 - 7:19
    okay and by which we had disrupt their
  • 7:19 - 7:20
    power plants we disrupt their water
  • 7:20 - 7:23
    plant okay live example is i hack into
  • 7:23 - 7:24
    one water plant
  • 7:24 - 7:26
    okay remotely and i increase the
  • 7:26 - 7:28
    chlorine level of the water which
  • 7:28 - 7:30
    basically create more poison which is
  • 7:30 - 7:32
    not very in uh it is where it becomes
  • 7:32 - 7:34
    very injurious for the person to drink
  • 7:34 - 7:36
    so this is how i basically perform the
  • 7:36 - 7:39
    cyber violence so summary is that using
  • 7:39 - 7:41
    someone's wi-fi use a wi-fi and access
  • 7:41 - 7:43
    the things that is called cyber trespass
  • 7:43 - 7:45
    cyber deception is basically a phishing
  • 7:45 - 7:47
    campaign
  • 7:47 - 7:49
    and cyber violence is basically where we
  • 7:49 - 7:51
    are disrupting the networks disrupting
  • 7:51 - 7:53
    the things and it is lead to also
  • 7:53 - 7:55
    someone human life that's like dos
  • 7:55 - 7:57
    attack and ddos attack that is part of
  • 7:57 - 7:59
    the cyber violence
  • 7:59 - 8:01
    so now we're going to discuss about the
  • 8:01 - 8:03
    introduction of the digital forensics
  • 8:03 - 8:05
    because we hire forensic investigators
  • 8:05 - 8:08
    we hire a specialized officers who
  • 8:08 - 8:11
    investigate who perform this attack how
  • 8:11 - 8:14
    this attack happen and and
  • 8:14 - 8:16
    who can be the target what is the motive
  • 8:16 - 8:18
    for them so we have a dedicated team
  • 8:18 - 8:20
    okay in every every country there is a
  • 8:20 - 8:22
    dedicated team who involved in
  • 8:22 - 8:24
    investigating such kind of a computer's
  • 8:24 - 8:27
    crime and that is called as a forensic
  • 8:27 - 8:29
    investigator and that is my agenda in
  • 8:29 - 8:31
    this particular session so let's start
  • 8:31 - 8:32
    with the introduction of digital
  • 8:32 - 8:34
    forensics
  • 8:34 - 8:35
    okay
  • 8:35 - 8:37
    so what is
  • 8:37 - 8:39
    digital forensics so when you're talking
  • 8:39 - 8:40
    about digital and forensic it means
  • 8:40 - 8:43
    doing an investigation for a digital
  • 8:43 - 8:44
    stuff
  • 8:44 - 8:46
    so even you go by the definition digital
  • 8:46 - 8:48
    forensics is a part of forensic science
  • 8:48 - 8:51
    that focus on identifying acquiring
  • 8:51 - 8:54
    processing analyzing and reporting on
  • 8:54 - 8:56
    data stored electronically as i said
  • 8:56 - 8:59
    when rita
  • 8:59 - 9:03
    she receive an email
  • 9:03 - 9:05
    so first we have contact rita and ask
  • 9:05 - 9:07
    for the email
  • 9:07 - 9:09
    and we have identify the email content
  • 9:09 - 9:11
    we identify the email header and from
  • 9:11 - 9:13
    there we got a high level information
  • 9:13 - 9:17
    from which domain the email comes
  • 9:17 - 9:19
    what is the ip addresso server and what
  • 9:19 - 9:21
    is the primary location then we have
  • 9:21 - 9:23
    basically contacted that particular
  • 9:23 - 9:25
    companies and contacted and checked
  • 9:25 - 9:27
    those servers from where the mail has
  • 9:27 - 9:29
    been sent and from there we got ip that
  • 9:29 - 9:31
    was a sender ip was at this particular
  • 9:31 - 9:34
    host ip so here what happened we are
  • 9:34 - 9:36
    identifying the electronic information
  • 9:36 - 9:38
    because if you're talking about general
  • 9:38 - 9:40
    forensic investigation if someone has
  • 9:40 - 9:41
    killed someone
  • 9:41 - 9:43
    so we physically go there and collect
  • 9:43 - 9:45
    the evidence physical evidence but here
  • 9:45 - 9:48
    everything is digital you cannot touch
  • 9:48 - 9:50
    that it is a logical email you cannot
  • 9:50 - 9:52
    touch email is additional data
  • 9:52 - 9:54
    okay so you have to use specialized
  • 9:54 - 9:56
    tools to extract the email understand
  • 9:56 - 9:58
    the data you need to contact the server
  • 9:58 - 9:59
    from where we have sent an email we have
  • 9:59 - 10:02
    to contact that so here we are basically
  • 10:02 - 10:03
    fighting with the systems we are not
  • 10:03 - 10:05
    fighting with the person
  • 10:05 - 10:07
    here we are not identifying on a first
  • 10:07 - 10:10
    stage who which person did that we are
  • 10:10 - 10:12
    identifying which system was basically
  • 10:12 - 10:14
    used to perform this crime because once
  • 10:14 - 10:16
    we identify the system we will get the
  • 10:16 - 10:19
    system owner details or the system user
  • 10:19 - 10:20
    details you're getting a point so if the
  • 10:20 - 10:22
    mail has been sent from cyber cafe at 10
  • 10:22 - 10:25
    15 but that system was used by multiple
  • 10:25 - 10:27
    people right so from there we will
  • 10:27 - 10:29
    involve the camera in the camera it will
  • 10:29 - 10:31
    capture the digital data that at 10 15
  • 10:31 - 10:32
    which person was sitting on that
  • 10:32 - 10:35
    particular system then we will basically
  • 10:35 - 10:36
    contact the person
  • 10:36 - 10:38
    and find out okay why you send this
  • 10:38 - 10:40
    email so here the everything is digital
  • 10:40 - 10:42
    that is why they say identifying the
  • 10:42 - 10:43
    digital data
  • 10:43 - 10:45
    okay acquiring the digital data
  • 10:45 - 10:47
    processing the data for the correlation
  • 10:47 - 10:49
    then analyzing the value and then
  • 10:49 - 10:51
    according to that we do the final report
  • 10:51 - 10:54
    but we have a different type of digital
  • 10:54 - 10:56
    forensics like we have a computer
  • 10:56 - 10:58
    forensics like there was a computer was
  • 10:58 - 11:01
    hacked so we identify who hacked that so
  • 11:01 - 11:03
    there is an investigation involved in
  • 11:03 - 11:05
    computer aspect there was a mobile has
  • 11:05 - 11:06
    been used
  • 11:06 - 11:08
    for the threatening the mobile has been
  • 11:08 - 11:10
    used for sending a whatsapp message the
  • 11:10 - 11:12
    mobile was involved in uh giving a
  • 11:12 - 11:14
    threatening call so we have investigated
  • 11:14 - 11:16
    the mobiles and identified data from
  • 11:16 - 11:17
    there
  • 11:17 - 11:18
    then we have a network forensics someone
  • 11:18 - 11:20
    is basically doing multiple attacks on
  • 11:20 - 11:22
    the networks so we are dumping the
  • 11:22 - 11:24
    firewall locks we are identifying the
  • 11:24 - 11:27
    ids locks intrusion detection systems
  • 11:27 - 11:28
    from there we get a visibility what kind
  • 11:28 - 11:30
    of a traffic is coming in the network
  • 11:30 - 11:32
    from where which is a source is involved
  • 11:32 - 11:35
    so that is called as a network forensics
  • 11:35 - 11:37
    and last but not the least we have a
  • 11:37 - 11:38
    hardware forensics example like we
  • 11:38 - 11:40
    purchase some hardware devices like it
  • 11:40 - 11:43
    can be my mobile as a hardware device
  • 11:43 - 11:45
    okay router as a hardware device a
  • 11:45 - 11:47
    system as a hardware device so sometime
  • 11:47 - 11:48
    what happened
  • 11:48 - 11:50
    sometime it's sometime it's possible
  • 11:50 - 11:52
    that okay uh you know
  • 11:52 - 11:55
    vendor basically embodied a malware in
  • 11:55 - 11:57
    that sometime the user embedding some
  • 11:57 - 12:00
    kind of a trojan in the hardware so we
  • 12:00 - 12:01
    are trying to investigate is this
  • 12:01 - 12:03
    hardware is compromised
  • 12:03 - 12:04
    okay
  • 12:04 - 12:06
    because there is a possibility of
  • 12:06 - 12:07
    hardware is basically compromised then
  • 12:07 - 12:09
    it is a concern for us might be someone
  • 12:09 - 12:12
    has given me one one device with enable
  • 12:12 - 12:13
    with some mic and all that so we need to
  • 12:13 - 12:15
    investigate it is someone has stamped or
  • 12:15 - 12:18
    something else so we have a digital
  • 12:18 - 12:22
    different type of digital forensics okay
  • 12:22 - 12:24
    so this is the introduction we have so
  • 12:24 - 12:26
    now we're going to understand about the
  • 12:26 - 12:29
    forensic investigation process
  • 12:29 - 12:31
    so on a high level different different
  • 12:31 - 12:32
    books
  • 12:32 - 12:34
    talk about different different forensic
  • 12:34 - 12:36
    investigation process
  • 12:36 - 12:38
    so here i have categorized that forensic
  • 12:38 - 12:41
    process in a four stages the first stage
  • 12:41 - 12:43
    is collection second is called as
  • 12:43 - 12:45
    examination third is called as analysis
  • 12:45 - 12:47
    and fourth is called as a reporting let
  • 12:47 - 12:49
    me give an example
  • 12:49 - 12:53
    so suppose this is my internet
  • 12:57 - 12:59
    okay
  • 13:01 - 13:04
    there is a firewall
  • 13:06 - 13:09
    and we have a switch
  • 13:14 - 13:17
    we have a system a
  • 13:17 - 13:20
    we have a system b
  • 13:20 - 13:23
    we have a system c
  • 13:23 - 13:26
    and we have a system d
  • 13:27 - 13:31
    now there is a ip called 1.1.1.1
  • 13:31 - 13:35
    it is attacker ip
  • 13:38 - 13:41
    this ip was able to bypass the firewall
  • 13:41 - 13:44
    and it attack system a it attacks system
  • 13:44 - 13:47
    b it attacks system c and attack system
  • 13:47 - 13:48
    d
  • 13:48 - 13:50
    so we got this confirmation that there
  • 13:50 - 13:52
    was ip was able to penetrate into the
  • 13:52 - 13:54
    firewall and able to hack into the
  • 13:54 - 13:56
    internal network and he was able to or
  • 13:56 - 13:58
    she was able to hack the ip or the
  • 13:58 - 14:00
    particular hacker was able to hack into
  • 14:00 - 14:03
    the multiple system
  • 14:03 - 14:04
    so i want to investigate
  • 14:04 - 14:08
    so here the first step what i did
  • 14:08 - 14:10
    i collected the information from the
  • 14:10 - 14:12
    firewall
  • 14:12 - 14:13
    i collected the information from a
  • 14:13 - 14:15
    system a b c d
  • 14:15 - 14:17
    so that is called as a data collection
  • 14:17 - 14:18
    process now here what happened we have
  • 14:18 - 14:22
    collected all type of data
  • 14:22 - 14:23
    i'm not saying i'm collecting a specific
  • 14:23 - 14:25
    type of data but i have collected the
  • 14:25 - 14:27
    all type of data
  • 14:27 - 14:29
    now second step is called as examination
  • 14:29 - 14:31
    now examination is as i said we have
  • 14:31 - 14:33
    collected all type of data but i want to
  • 14:33 - 14:37
    filter is 1.1.1.1
  • 14:37 - 14:38
    okay because from the firewall we we
  • 14:38 - 14:41
    collected 40 gb data and from all the
  • 14:41 - 14:43
    system overall we collected 40 gb data
  • 14:43 - 14:45
    but there is no need for 40 gb data to
  • 14:45 - 14:48
    work on it so i want to examine
  • 14:48 - 14:51
    so i will basically filtered only 1.1
  • 14:51 - 14:53
    data from this total 80 gb data so i
  • 14:53 - 14:56
    concluded around 2 gb of data which is
  • 14:56 - 14:59
    or 1 gb of data led to the 1.1.1 so that
  • 14:59 - 15:00
    is called as examination it means
  • 15:00 - 15:02
    examination is a process of filtering
  • 15:02 - 15:04
    out the information
  • 15:04 - 15:06
    now once the information is filtered and
  • 15:06 - 15:07
    we limit it to
  • 15:07 - 15:10
    1.1.1.logs then we try to analyze how
  • 15:10 - 15:11
    this even happen
  • 15:11 - 15:13
    okay so that is basically gold to the
  • 15:13 - 15:16
    analysis and finally we basically report
  • 15:16 - 15:18
    so each and every step we're going to
  • 15:18 - 15:20
    discuss in detail okay so step one is
  • 15:20 - 15:22
    collecting a data all type of data we
  • 15:22 - 15:25
    collect we will not miss anything
  • 15:25 - 15:27
    second step is basically called as a
  • 15:27 - 15:29
    examination i will try to correlate all
  • 15:29 - 15:32
    the data related to 1.1.1 if the data is
  • 15:32 - 15:35
    not related to the 1.1.1 i will
  • 15:35 - 15:36
    basically keep aside and then the
  • 15:36 - 15:39
    filtered data which is in the
  • 15:39 - 15:41
    examination stage on that i will do the
  • 15:41 - 15:43
    analysis to see how this entire incident
  • 15:43 - 15:44
    happened
  • 15:44 - 15:46
    and finally we basically called as a
  • 15:46 - 15:47
    reporting
  • 15:47 - 15:49
    so this is basically the parameter we
  • 15:49 - 15:50
    have so we're going to discuss each and
  • 15:50 - 15:52
    every step now in detail
  • 15:52 - 15:54
    one thing you need to remember in the
  • 15:54 - 15:56
    forensic investigation you need to work
  • 15:56 - 15:58
    strongly on the documentation so
  • 15:58 - 16:00
    documentation should be start from the
  • 16:00 - 16:02
    first phase itself
  • 16:02 - 16:03
    okay and make sure you should maintain
  • 16:03 - 16:06
    the accuracy so let's discuss each and
  • 16:06 - 16:08
    every process in detail
  • 16:08 - 16:10
    see when you're talking about first step
  • 16:10 - 16:12
    which is called as a data collection so
  • 16:12 - 16:15
    where we identifying the data source
  • 16:15 - 16:17
    and acquiring the data from them but
  • 16:17 - 16:19
    problem is that how to acquire data so
  • 16:19 - 16:22
    when you're talking about data
  • 16:22 - 16:24
    we have a two type of data team one is
  • 16:24 - 16:27
    called as a volatile
  • 16:28 - 16:32
    and one is called as a non-volatile
  • 16:35 - 16:38
    okay one is called as a volatile and one
  • 16:38 - 16:40
    is called as a non-volatile sorry for my
  • 16:40 - 16:43
    handwriting let me
  • 16:45 - 16:49
    volatile and non-volatile
  • 16:53 - 16:56
    so whenever like as i said we have a
  • 16:56 - 16:58
    system a
  • 16:59 - 17:02
    we have a system a we have a system b we
  • 17:02 - 17:04
    have a system c a
  • 17:04 - 17:05
    b and c
  • 17:05 - 17:07
    and there was a hacker remotely he was
  • 17:07 - 17:09
    able to hack into the system so always
  • 17:09 - 17:11
    remember whenever you're initiating a
  • 17:11 - 17:13
    forensic investigation
  • 17:13 - 17:15
    never ever shut down the system
  • 17:15 - 17:17
    the reason is very simple because if you
  • 17:17 - 17:19
    shut down the system
  • 17:19 - 17:22
    you might lose the last access data
  • 17:22 - 17:24
    last
  • 17:24 - 17:25
    access data which is reside in the
  • 17:25 - 17:28
    memory
  • 17:28 - 17:30
    so one thing is at first disconnect the
  • 17:30 - 17:32
    network
  • 17:32 - 17:34
    it means remove the network cable
  • 17:34 - 17:36
    and in the case of mobile forensics put
  • 17:36 - 17:38
    the phone in a airplane mode do not
  • 17:38 - 17:41
    remove the sim okay don't shut down the
  • 17:41 - 17:44
    phone remove the
  • 17:45 - 17:47
    you know enable the airplane mode
  • 17:47 - 17:48
    okay
  • 17:48 - 17:50
    some people what they do they remove the
  • 17:50 - 17:52
    sim and then they enable the airplane
  • 17:52 - 17:53
    mode if you remove the sim you might
  • 17:53 - 17:55
    lose the memory data
  • 17:55 - 17:58
    so better is keep them keep the same on
  • 17:58 - 17:59
    but
  • 17:59 - 18:01
    enable the airplane mode okay and then
  • 18:01 - 18:03
    do the investigation now when it come to
  • 18:03 - 18:05
    system here like abc was involved in the
  • 18:05 - 18:07
    ransomware attack or
  • 18:07 - 18:09
    they they were hacked remotely by the
  • 18:09 - 18:11
    hacker the first practice is remove the
  • 18:11 - 18:13
    network cable after doing an impact
  • 18:13 - 18:16
    analysis then the second important thing
  • 18:16 - 18:18
    is obtain the volatile data volatile is
  • 18:18 - 18:21
    basically mean a very sensitive data
  • 18:21 - 18:22
    very
  • 18:22 - 18:23
    um
  • 18:23 - 18:25
    it is not a static data it's a dynamic
  • 18:25 - 18:27
    data because if you shut down the system
  • 18:27 - 18:29
    you might lose this data
  • 18:29 - 18:30
    okay if you shut down the system you
  • 18:30 - 18:32
    might lose this data it's a very dynamic
  • 18:32 - 18:33
    data
  • 18:33 - 18:35
    so there is a sequence in which we need
  • 18:35 - 18:38
    to obtain the volatile data first we
  • 18:38 - 18:40
    need to dump the memory because content
  • 18:40 - 18:43
    of memory is basically include your last
  • 18:43 - 18:44
    access file
  • 18:44 - 18:46
    okay open connections and everything
  • 18:46 - 18:48
    then you have to dump the running
  • 18:48 - 18:50
    process then you dump the open file data
  • 18:50 - 18:51
    then you
  • 18:51 - 18:53
    dump the network configuration and then
  • 18:53 - 18:55
    you dump the operating system time
  • 18:55 - 18:57
    so this is the sequence we have in which
  • 18:57 - 18:59
    we need to obtain the data always
  • 18:59 - 19:01
    remember okay but non-volatile is what
  • 19:01 - 19:03
    you shut down the system and you can
  • 19:03 - 19:04
    make a ghost image of that that is
  • 19:04 - 19:06
    called as a non-volatile
  • 19:06 - 19:08
    so always remember whenever you
  • 19:08 - 19:10
    obtaining a data or collecting a data
  • 19:10 - 19:13
    first you should focus on a volatile
  • 19:13 - 19:15
    data and then you have to focus on the
  • 19:15 - 19:17
    non-volatile data
  • 19:17 - 19:19
    now you have collected all kind of
  • 19:19 - 19:20
    information
  • 19:20 - 19:21
    now second step is called as a
  • 19:21 - 19:23
    examination
  • 19:23 - 19:25
    examination is all about involving
  • 19:25 - 19:27
    assessing and extracting a relevant
  • 19:27 - 19:28
    piece of information from the collected
  • 19:28 - 19:30
    data so what we did we collected all
  • 19:30 - 19:32
    kind of information
  • 19:32 - 19:35
    but i need to focus on the particular ip
  • 19:35 - 19:36
    i need to focus on the particular
  • 19:36 - 19:39
    pattern i don't want anything else i
  • 19:39 - 19:41
    just want that important pattern
  • 19:41 - 19:44
    so i will try to extract this respective
  • 19:44 - 19:46
    eyepiece i will try to extract the
  • 19:46 - 19:48
    particular pattern of traffic and what
  • 19:48 - 19:50
    is not relevant i can ignore that so
  • 19:50 - 19:52
    that is basically called as a second
  • 19:52 - 19:54
    step which is called as a examination
  • 19:54 - 19:57
    and then once you basically examine
  • 19:57 - 19:59
    then you will basically try to do the
  • 19:59 - 20:01
    analysis how this incident happened
  • 20:01 - 20:03
    because now you have a filter data so
  • 20:03 - 20:05
    analysis should include identifying
  • 20:05 - 20:08
    people place items even and determining
  • 20:08 - 20:10
    how these elements are related to the
  • 20:10 - 20:12
    conclusion can be reached so that is
  • 20:12 - 20:15
    called as analysis and finally you
  • 20:15 - 20:17
    prepare the complete report so during a
  • 20:17 - 20:19
    reporting you will compile all the data
  • 20:19 - 20:21
    first compile all the incidents compile
  • 20:21 - 20:23
    all the correlations
  • 20:23 - 20:25
    then in the report you should include
  • 20:25 - 20:27
    the tools the tools that you have used
  • 20:27 - 20:29
    because it's very important to give the
  • 20:29 - 20:31
    information to your stakeholder how you
  • 20:31 - 20:33
    have obtained the data okay who was
  • 20:33 - 20:36
    involved in this crime who was involved
  • 20:36 - 20:37
    in this investigation what was their
  • 20:37 - 20:39
    role any issue that occurred during the
  • 20:39 - 20:41
    entire process all challenges you can
  • 20:41 - 20:43
    document in the report like one day what
  • 20:43 - 20:45
    happened i was doing an investigation of
  • 20:45 - 20:47
    a server but i was not able to access
  • 20:47 - 20:48
    directly a server
  • 20:48 - 20:50
    i was not able to access some pi data
  • 20:50 - 20:51
    because of the compliance and legal
  • 20:51 - 20:54
    regulatory requirement so i can notify
  • 20:54 - 20:55
    this in a report that because of the
  • 20:55 - 20:56
    compliance and legal regulatory
  • 20:56 - 20:58
    requirement we failed to obtain the
  • 20:58 - 20:59
    reports
  • 20:59 - 21:01
    so audience consideration need to be
  • 21:01 - 21:03
    considered if you're giving this report
  • 21:03 - 21:05
    to your technical manager definitely the
  • 21:05 - 21:07
    report will be very technical in nature
  • 21:07 - 21:08
    but if you're giving this report to the
  • 21:08 - 21:10
    senior management then remove all the
  • 21:10 - 21:12
    data and talk about only business
  • 21:12 - 21:14
    reporting should also include the
  • 21:14 - 21:16
    actionable information you know what can
  • 21:16 - 21:18
    be done in the future so many forensics
  • 21:18 - 21:20
    instant response team hold the also
  • 21:20 - 21:23
    formal review after the each major event
  • 21:23 - 21:25
    and such review tend to include the
  • 21:25 - 21:27
    serious consideration of possible
  • 21:27 - 21:29
    improvement to guideline and procedure
  • 21:29 - 21:31
    and typically at least some minor
  • 21:31 - 21:33
    changes are approved and implement after
  • 21:33 - 21:33
    the
  • 21:33 - 21:35
    each review so that is basically part of
  • 21:35 - 21:37
    the reporting
  • 21:37 - 21:39
    okay so this is the high level steps we
  • 21:39 - 21:41
    have that we follow
  • 21:41 - 21:43
    now the next thing is called as a chain
  • 21:43 - 21:45
    of custody now what is chain of custody
  • 21:45 - 21:47
    see
  • 21:47 - 21:49
    i have obtained the evidence from this
  • 21:49 - 21:52
    incident scene
  • 21:53 - 21:55
    okay i have obtained the evidence
  • 21:55 - 21:57
    from this particular scene this is the
  • 21:57 - 22:00
    crime scene like hard disk
  • 22:00 - 22:01
    data
  • 22:01 - 22:04
    systems and all that so i am pram
  • 22:05 - 22:06
    okay i have obtained this evidence from
  • 22:06 - 22:08
    this crime scene now i hand over this
  • 22:08 - 22:10
    evidence to
  • 22:10 - 22:14
    my colleague which name is couple
  • 22:14 - 22:16
    okay i couple hand over the evidence to
  • 22:16 - 22:19
    abhishar
  • 22:19 - 22:21
    okay so here what happen sequence we
  • 22:21 - 22:22
    have
  • 22:22 - 22:24
    in which we have handover and because
  • 22:24 - 22:26
    abhishar is the lawyer abhisher is
  • 22:26 - 22:28
    basically representing the forensic team
  • 22:28 - 22:29
    who going to the court and submit this
  • 22:29 - 22:31
    evidence so this is the chain we have
  • 22:31 - 22:32
    followed
  • 22:32 - 22:33
    but
  • 22:33 - 22:35
    make sure there should be one document
  • 22:35 - 22:37
    we need to maintain in which we need to
  • 22:37 - 22:38
    maintain the information about who
  • 22:38 - 22:40
    obtain the evidence who hold the
  • 22:40 - 22:42
    evidence in a current scenario and what
  • 22:42 - 22:44
    was the hash value and that document is
  • 22:44 - 22:46
    called as a chain of custody
  • 22:46 - 22:48
    chain of custody is also talk about the
  • 22:48 - 22:50
    sequence in which we have obtained the
  • 22:50 - 22:51
    evidence
  • 22:51 - 22:53
    okay whatever the first evidence we have
  • 22:53 - 22:54
    obtained that will update in the
  • 22:54 - 22:56
    document what is the second evidence we
  • 22:56 - 22:59
    have obtained document when the evidence
  • 22:59 - 23:00
    is hand over to other person that is
  • 23:00 - 23:03
    document so it document the sequence of
  • 23:03 - 23:04
    the position
  • 23:04 - 23:07
    control transfer analysis and disposal
  • 23:07 - 23:08
    of things including a physical or
  • 23:08 - 23:11
    electronic evidence an important aspect
  • 23:11 - 23:13
    of evidence recording is the
  • 23:13 - 23:15
    chain of custody so here we have item
  • 23:15 - 23:17
    one we have a hard disk we have given
  • 23:17 - 23:18
    the description model number and all
  • 23:18 - 23:19
    that
  • 23:19 - 23:21
    so it is released by prep and received
  • 23:21 - 23:22
    by
  • 23:22 - 23:24
    kapil and we're giving the comment and
  • 23:24 - 23:26
    everything so this kind of a document we
  • 23:26 - 23:28
    have which is attached with the evidence
  • 23:28 - 23:30
    and when we submit the evidence in the
  • 23:30 - 23:32
    code we need to submit this document
  • 23:32 - 23:34
    also
  • 23:34 - 23:35
    so to prove the chain of custody you
  • 23:35 - 23:37
    will need to form the detail how the
  • 23:37 - 23:39
    evidence was handled in every step of
  • 23:39 - 23:41
    the way because one thing is that to
  • 23:41 - 23:43
    testify the crime in the court evidence
  • 23:43 - 23:45
    is the only tool we have evidence is the
  • 23:45 - 23:47
    only substance we have
  • 23:47 - 23:48
    if
  • 23:48 - 23:50
    blah blah blah a person has hacked the
  • 23:50 - 23:52
    email or if the blah blah blah the
  • 23:52 - 23:54
    person send them ill to rita i need an
  • 23:54 - 23:57
    evidence for that so i went to a
  • 23:57 - 23:59
    particular system i got the camera
  • 23:59 - 24:01
    records and from there we able to
  • 24:01 - 24:03
    identify 12 15 that guy is the one who
  • 24:03 - 24:06
    sent an email so we seize the laptop we
  • 24:06 - 24:08
    see the computer of the cyber cafe we
  • 24:08 - 24:10
    took the picture of the of the camera we
  • 24:10 - 24:12
    directly opt in the records from the
  • 24:12 - 24:14
    camera these all are evidence but who
  • 24:14 - 24:16
    opt-in when obtain and when we have
  • 24:16 - 24:18
    transfer that need to document in one
  • 24:18 - 24:20
    paper and that is called as a chain of
  • 24:20 - 24:22
    custody
  • 24:22 - 24:24
    so proof chain of custody all examiner
  • 24:24 - 24:26
    need to prepare to answer the following
  • 24:26 - 24:28
    questions like proof of evidence
  • 24:28 - 24:30
    okay how did you acquire this evidence
  • 24:30 - 24:32
    when was the evidence was gathered and
  • 24:32 - 24:35
    who handled the evidence okay so that
  • 24:35 - 24:36
    that's the point we have
  • 24:36 - 24:38
    but when we talking about good evidence
  • 24:38 - 24:39
    principle
  • 24:39 - 24:42
    let me give you a very good definition
  • 24:42 - 24:43
    of what is evidence so if you go by the
  • 24:43 - 24:48
    oxford dictionary evidence is a noun
  • 24:49 - 24:52
    actually okay now example if someone has
  • 24:52 - 24:54
    physically
  • 24:54 - 24:56
    if someone has killed one person
  • 24:56 - 24:57
    okay one person has killed another
  • 24:57 - 24:59
    person so knife is the evidence
  • 24:59 - 25:02
    fingerprint on the knife is evidence
  • 25:02 - 25:03
    that is okay when it comes to the
  • 25:03 - 25:06
    general forensic investigation but when
  • 25:06 - 25:07
    it comes to a digital forensics
  • 25:07 - 25:09
    everything is data
  • 25:09 - 25:12
    okay camera records camera records ip
  • 25:12 - 25:15
    records ip belong ipa does belong to a
  • 25:15 - 25:16
    particular attacker all these are
  • 25:16 - 25:19
    basically evidence so evidence is the
  • 25:19 - 25:22
    information or sign indicating whether a
  • 25:22 - 25:25
    belief or proposition is true
  • 25:25 - 25:28
    or valid information used here to
  • 25:28 - 25:30
    establish the facts in a legal
  • 25:30 - 25:31
    investigation
  • 25:31 - 25:34
    or admissible in a testimony in the law
  • 25:34 - 25:35
    encode that is what is called as an
  • 25:35 - 25:36
    evidence
  • 25:36 - 25:38
    okay so here i will proposing my system
  • 25:38 - 25:40
    logs here i am proposing the ip log so
  • 25:40 - 25:42
    that is an evidence so evidence is the
  • 25:42 - 25:44
    information which indicate whether
  • 25:44 - 25:46
    belief or proposition is true
  • 25:46 - 25:49
    and information used to establish the
  • 25:49 - 25:51
    facts in a legal investigation or
  • 25:51 - 25:53
    admissible as a testimony in the law
  • 25:53 - 25:56
    code so question is what is our evidence
  • 25:56 - 25:58
    or what is a good evidence principle the
  • 25:58 - 25:59
    first thing is that make a copy of a
  • 25:59 - 26:00
    system
  • 26:00 - 26:02
    see never ever do the investigation or
  • 26:02 - 26:05
    live system always remember suppose we
  • 26:05 - 26:07
    have a server
  • 26:08 - 26:09
    this was the actual server which was
  • 26:09 - 26:11
    hacked so there is no point of doing a
  • 26:11 - 26:14
    live investigation on the server first
  • 26:14 - 26:17
    make a ghost copy
  • 26:18 - 26:21
    okay make a ghost copy and make a copy
  • 26:21 - 26:22
    of the system and then install the copy
  • 26:22 - 26:24
    in another system and do the
  • 26:24 - 26:25
    investigation so that is the thing so
  • 26:25 - 26:27
    question is what kind of a copy so we do
  • 26:27 - 26:29
    the bit by bit copy bit by bit copy is a
  • 26:29 - 26:32
    great copy in which it will capture your
  • 26:32 - 26:34
    deleted files it will capture your slack
  • 26:34 - 26:35
    space
  • 26:35 - 26:37
    it capture your all the unhidden files
  • 26:37 - 26:38
    and everything so we always prefer
  • 26:38 - 26:40
    whenever you creating a copy of any
  • 26:40 - 26:42
    server copy of any desktop go for the
  • 26:42 - 26:45
    bit by bit basis not a file by file
  • 26:45 - 26:46
    basis
  • 26:46 - 26:48
    and the media in which you're making a
  • 26:48 - 26:50
    ghost image making a copy of the system
  • 26:50 - 26:52
    that should have a right blocker that
  • 26:52 - 26:56
    should have a right blocker disk
  • 26:56 - 26:57
    write
  • 26:57 - 26:58
    blocker
  • 26:58 - 26:59
    disk
  • 26:59 - 27:01
    make sure secure the original and work
  • 27:01 - 27:03
    on the copy and document everything
  • 27:03 - 27:06
    whether small too small or big to big
  • 27:06 - 27:08
    and do your best to collect data in an
  • 27:08 - 27:10
    order of volatility which we discussed
  • 27:10 - 27:12
    right first we dump the memory data then
  • 27:12 - 27:14
    network connections and all that so that
  • 27:14 - 27:16
    is a good evidence principle we have
  • 27:16 - 27:18
    so whenever you drive any kind of
  • 27:18 - 27:20
    investigation strategy we have some
  • 27:20 - 27:22
    parameters to be understand the first is
  • 27:22 - 27:24
    that understand the investigation
  • 27:24 - 27:26
    objectives and timeline there are a lot
  • 27:26 - 27:28
    of investigators okay what they do when
  • 27:28 - 27:30
    they drive any kind of investigation
  • 27:30 - 27:32
    without doing any analysis they start
  • 27:32 - 27:33
    the investigation they don't understand
  • 27:33 - 27:35
    the intent of the crime they don't
  • 27:35 - 27:36
    understand the motive of the hacker they
  • 27:36 - 27:38
    don't understand the
  • 27:38 - 27:40
    purpose of the crime so it is very
  • 27:40 - 27:41
    important whenever you plan your
  • 27:41 - 27:43
    investigation understand the objectives
  • 27:43 - 27:45
    what is your timeline what is the intent
  • 27:45 - 27:47
    okay second is make the list of
  • 27:47 - 27:49
    resources that you want for the
  • 27:49 - 27:50
    investigation
  • 27:50 - 27:52
    according to the skill set only take the
  • 27:52 - 27:54
    forensic investigators with you now
  • 27:54 - 27:56
    example like there was a enterprise
  • 27:56 - 27:58
    which got hacked and in that enterprise
  • 27:58 - 28:01
    they're using apple mac so we need some
  • 28:01 - 28:03
    forensic investigator who good in mac
  • 28:03 - 28:05
    there's no point of taking a windows
  • 28:05 - 28:07
    forensic investigator because we have a
  • 28:07 - 28:08
    different way to do the forensic
  • 28:08 - 28:10
    investigation in the windows we have a
  • 28:10 - 28:12
    different way of doing a forensic
  • 28:12 - 28:14
    investigation the linux we have a
  • 28:14 - 28:15
    different way to doing a forensic
  • 28:15 - 28:17
    investigation in the
  • 28:17 - 28:19
    unix or we have a different forensic
  • 28:19 - 28:20
    investigation process we have in the
  • 28:20 - 28:23
    network so make sure after understanding
  • 28:23 - 28:25
    the objective and have a clarity about
  • 28:25 - 28:27
    what is happening according to that you
  • 28:27 - 28:29
    need to plan the resource even the tools
  • 28:29 - 28:31
    is also different
  • 28:31 - 28:32
    for windows we have a great tool which
  • 28:32 - 28:34
    cannot be a good in linux we have a good
  • 28:34 - 28:36
    tools and linux which cannot be great in
  • 28:36 - 28:38
    windows so make sure you should
  • 28:38 - 28:40
    understand the things and according to
  • 28:40 - 28:42
    that plan the resources 90 of the
  • 28:42 - 28:44
    forensic teams
  • 28:44 - 28:46
    to literally miserable on the second
  • 28:46 - 28:47
    part
  • 28:47 - 28:48
    they do lot of mistake
  • 28:48 - 28:50
    third is identify the potential evidence
  • 28:50 - 28:52
    source because that is how you can able
  • 28:52 - 28:55
    to establish the crime parameters
  • 28:55 - 28:56
    hacking
  • 28:56 - 28:57
    like if the hacking initiated from a
  • 28:57 - 29:00
    particular laptop identifying ip is the
  • 29:00 - 29:01
    most important priority for us at the
  • 29:01 - 29:03
    first stage then second stage we need to
  • 29:03 - 29:06
    check who is the user who use the laptop
  • 29:06 - 29:08
    so it is very important to identify the
  • 29:08 - 29:10
    potential evidence source and make sure
  • 29:10 - 29:11
    when you're
  • 29:11 - 29:13
    looking for the evidence source look for
  • 29:13 - 29:15
    the authenticity third is estimate the
  • 29:15 - 29:17
    value and expense of getting so each
  • 29:17 - 29:19
    source of evidence it's very important i
  • 29:19 - 29:21
    got one evidence directly from a server
  • 29:21 - 29:23
    which got hacked and i got one evidence
  • 29:23 - 29:24
    which is provided by system
  • 29:24 - 29:26
    administrator definitely i will trust
  • 29:26 - 29:28
    that evidence which is directly obtained
  • 29:28 - 29:30
    from the server
  • 29:30 - 29:31
    so we need to estimate the value so
  • 29:31 - 29:33
    sometimes we have a direct evidence and
  • 29:33 - 29:35
    sometimes we have indirect evidence okay
  • 29:35 - 29:37
    like someone told me that guy was
  • 29:37 - 29:38
    sitting on the system that is called as
  • 29:38 - 29:40
    an indirect evidence but we have a
  • 29:40 - 29:42
    camera locks we talk about that day the
  • 29:42 - 29:45
    person is sit on the system and did the
  • 29:45 - 29:46
    hacking from there so that is called as
  • 29:46 - 29:48
    a direct evidence
  • 29:48 - 29:49
    prioritize your evidence gathering what
  • 29:49 - 29:51
    is the important need what is need to be
  • 29:51 - 29:53
    reviewed later so that is another
  • 29:53 - 29:55
    important thing we have
  • 29:55 - 29:57
    and make a plan for first acquisition
  • 29:57 - 29:59
    instead of directly investigating and
  • 29:59 - 30:02
    all that your 20 to 30 percent of
  • 30:02 - 30:04
    priorities in a first stage when you
  • 30:04 - 30:06
    acquiring a data because your entire
  • 30:06 - 30:08
    investigation is depending upon the
  • 30:08 - 30:11
    acquisition of a data if you acquire the
  • 30:11 - 30:12
    wrong data based on that you do the
  • 30:12 - 30:14
    wrong action based on wrong action you
  • 30:14 - 30:16
    will take the wrong decisions and the
  • 30:16 - 30:18
    wrong person will feel guilty so it's
  • 30:18 - 30:21
    very important whatever you're doing in
  • 30:21 - 30:23
    in the during a time of acquisition you
  • 30:23 - 30:24
    should be thoroughly understand the
  • 30:24 - 30:26
    things make sure you obtain the accurate
  • 30:26 - 30:27
    data
  • 30:27 - 30:29
    so this will be your investigation
  • 30:29 - 30:31
    strategy we have when you deal with any
  • 30:31 - 30:32
    kind of a crime scene
  • 30:32 - 30:34
    so now there are some technical tools
  • 30:34 - 30:36
    are basically used in a digital
  • 30:36 - 30:39
    forensics so that we're going to discuss
  • 30:39 - 30:40
    in the next part
  • 30:40 - 30:42
    okay so now we're going to discuss about
  • 30:42 - 30:44
    the different type of tools which is
  • 30:44 - 30:47
    used in the forensic additional forensic
  • 30:47 - 30:49
    investigation so one of the first tool
  • 30:49 - 30:51
    we called as a swift workstation i'm
  • 30:51 - 30:53
    sure you heard about kali linux now when
  • 30:53 - 30:56
    you install the kali linux okay in any
  • 30:56 - 30:56
    system
  • 30:56 - 30:59
    it install with multiple tools it is
  • 30:59 - 31:02
    like os right and within that os you can
  • 31:02 - 31:04
    see the multiple further pen testing or
  • 31:04 - 31:07
    secure testing tools same like swift is
  • 31:07 - 31:09
    like a workstation
  • 31:09 - 31:10
    their image is available you can
  • 31:10 - 31:12
    download you can mount you can run that
  • 31:12 - 31:15
    system and that that utilities this this
  • 31:15 - 31:16
    workstation is basically include the
  • 31:16 - 31:19
    multiple tools okay
  • 31:19 - 31:21
    so it is one of the popular one which is
  • 31:21 - 31:23
    used for a forensic investigation
  • 31:23 - 31:24
    and
  • 31:24 - 31:27
    it also consists several open source
  • 31:27 - 31:29
    instant response tools also within that
  • 31:29 - 31:31
    workstation and one of the important
  • 31:31 - 31:33
    feature of the swift
  • 31:33 - 31:35
    toolkit is that it
  • 31:35 - 31:37
    has some utilities which is used to
  • 31:37 - 31:39
    examine the raw disk
  • 31:39 - 31:40
    okay able to understand the multiple
  • 31:40 - 31:42
    file system so example we are running a
  • 31:42 - 31:44
    system a we are running a system b and
  • 31:44 - 31:46
    we are running a system c
  • 31:46 - 31:48
    so system a is running with windows
  • 31:48 - 31:49
    system b is learning with linux and
  • 31:49 - 31:52
    system c running with mac
  • 31:52 - 31:53
    each and every system is running with a
  • 31:53 - 31:55
    different file system so i installed the
  • 31:55 - 31:58
    swift workstation on this system
  • 31:58 - 32:01
    which is my laptop i'm an investigator
  • 32:01 - 32:03
    and and then i basically connect with
  • 32:03 - 32:04
    the systems and extract the data from
  • 32:04 - 32:06
    there
  • 32:06 - 32:09
    so or i can basically do boot my system
  • 32:09 - 32:11
    a boot uh this particular system with a
  • 32:11 - 32:14
    swift workstation has a live cd and i
  • 32:14 - 32:16
    can able to investigate these systems
  • 32:16 - 32:18
    easily so for me
  • 32:18 - 32:20
    investigating of a different file system
  • 32:20 - 32:22
    will not be the challenge
  • 32:22 - 32:23
    and
  • 32:23 - 32:25
    second toolkit that we using is ftk
  • 32:25 - 32:27
    which is from the company called access
  • 32:27 - 32:30
    data so that that toolkit uh one of the
  • 32:30 - 32:32
    important tool in the toolkit is called
  • 32:32 - 32:35
    as a ftk e major so when we say ftk
  • 32:35 - 32:37
    imager between that we have a system a
  • 32:37 - 32:39
    we have a system b we have a system c so
  • 32:39 - 32:41
    this was the system which is hacked
  • 32:41 - 32:42
    remotely
  • 32:42 - 32:44
    okay so i want to make a ghost copy of
  • 32:44 - 32:46
    the system i want to make a copy of the
  • 32:46 - 32:47
    system because we cannot do the
  • 32:47 - 32:50
    investigation on the live system so how
  • 32:50 - 32:52
    to do that in that case popular tool we
  • 32:52 - 32:55
    are using is ftk imager so with the help
  • 32:55 - 32:58
    of ftk imager we can able to create a
  • 32:58 - 33:00
    image of the complete system and then i
  • 33:00 - 33:03
    can basically copy that image or
  • 33:03 - 33:06
    mount that image in other system and
  • 33:06 - 33:08
    then i will do the further investigation
  • 33:08 - 33:09
    on that system so these are the one of
  • 33:09 - 33:11
    the popular tool we have
  • 33:11 - 33:13
    along with that we also have another one
  • 33:13 - 33:16
    which is called as a digital evidence
  • 33:16 - 33:18
    forensic toolkit it is a well popular in
  • 33:18 - 33:21
    that in a intelligence
  • 33:21 - 33:24
    government activities so and the reason
  • 33:24 - 33:26
    is that they have a
  • 33:26 - 33:28
    they have some tools which having a
  • 33:28 - 33:30
    capability to open the encrypted files
  • 33:30 - 33:31
    also
  • 33:31 - 33:34
    and able to recover the deleted data
  • 33:34 - 33:37
    okay so that is why it is one of the
  • 33:37 - 33:39
    popular utility we have which is
  • 33:39 - 33:42
    recommended by the different enforcement
  • 33:42 - 33:44
    agencies also okay
  • 33:44 - 33:45
    but when we dealing with the different
  • 33:45 - 33:46
    type of
  • 33:46 - 33:47
    uh
  • 33:47 - 33:50
    data okay we need to make a image of the
  • 33:50 - 33:52
    system or we have a different type of
  • 33:52 - 33:54
    extensions of the files so one of the
  • 33:54 - 33:58
    popular extensions we have is dd
  • 33:58 - 34:00
    dd called as a data duplication so it is
  • 34:00 - 34:03
    also come with a dd utility which is
  • 34:03 - 34:04
    used to copy
  • 34:04 - 34:07
    the linux system and then we can you
  • 34:07 - 34:09
    create an image and i can dump the image
  • 34:09 - 34:11
    i can mount the image in other system
  • 34:11 - 34:13
    and do the investigation so dd is
  • 34:13 - 34:14
    another
  • 34:14 - 34:16
    type of file we have then we have a aff
  • 34:16 - 34:18
    file format that is basically used in a
  • 34:18 - 34:21
    forensic investigation
  • 34:21 - 34:23
    so it is extensible open format for the
  • 34:23 - 34:24
    storage of disk image
  • 34:24 - 34:27
    and it was created to be an open and
  • 34:27 - 34:29
    extensible file format to store disk
  • 34:29 - 34:32
    image and associate metadata
  • 34:32 - 34:35
    so aff has a goal to create a disk image
  • 34:35 - 34:37
    format that would not lock the user into
  • 34:37 - 34:40
    proprietary format that may limit how or
  • 34:40 - 34:42
    she may able to analyze that and today
  • 34:42 - 34:45
    it is a preferred tool for your in
  • 34:45 - 34:47
    gathering intelligence and resolving the
  • 34:47 - 34:50
    security incident it mean if you make a
  • 34:50 - 34:52
    ghost image if you make an image in a ff
  • 34:52 - 34:53
    format suppose you make a copy of the
  • 34:53 - 34:56
    system in afa format so in that case we
  • 34:56 - 34:59
    can use this aff utility with multiple
  • 34:59 - 35:00
    forensic tools
  • 35:00 - 35:02
    we also have other different type of
  • 35:02 - 35:04
    image like raw image which is basically
  • 35:04 - 35:07
    do the bit by bit copy and the great
  • 35:07 - 35:09
    advantage of bit by bit copy it will
  • 35:09 - 35:11
    capture the entire disk
  • 35:11 - 35:13
    entire volume without any deletion or
  • 35:13 - 35:16
    add addition and raw image format was
  • 35:16 - 35:18
    used by the dd also but nowadays
  • 35:18 - 35:20
    multiple forensics application also
  • 35:20 - 35:22
    support that it mean if we have a system
  • 35:22 - 35:25
    a system b and system c when i make a
  • 35:25 - 35:27
    copy of the system and the image is raw
  • 35:27 - 35:28
    image
  • 35:28 - 35:30
    so that raw image can be used by
  • 35:30 - 35:32
    multiple forensic tool because when we
  • 35:32 - 35:34
    need to do the investigation on the
  • 35:34 - 35:35
    system definitely we are not doing an
  • 35:35 - 35:37
    investigation the live system so we
  • 35:37 - 35:39
    mount the image which is created from a
  • 35:39 - 35:42
    system and tool will read the image and
  • 35:42 - 35:44
    according to that do the investigation
  • 35:44 - 35:46
    we also have other extension like dmp
  • 35:46 - 35:50
    dump crash mem femem and mdmp so this is
  • 35:50 - 35:52
    more like a memory dump data
  • 35:52 - 35:53
    so sometime when we need to review the
  • 35:53 - 35:55
    memory and all that these are the
  • 35:55 - 35:57
    extensions in which we basically save a
  • 35:57 - 36:00
    file we also have a binary dumps for the
  • 36:00 - 36:02
    memory which called as a dot bi and dat
  • 36:02 - 36:06
    file unallocated re rec data or binary
  • 36:06 - 36:08
    so this is also is very useful when we
  • 36:08 - 36:10
    need to investigate the open files and
  • 36:10 - 36:12
    everything sometime if you want to
  • 36:12 - 36:14
    investigate the virtual machine we have
  • 36:14 - 36:16
    extension called vmdk
  • 36:16 - 36:18
    and when the ftk tool is creating image
  • 36:18 - 36:20
    they store the image in this particular
  • 36:20 - 36:21
    format
  • 36:21 - 36:24
    so this is all from my site team if you
  • 36:24 - 36:26
    find this video useful do let me know in
  • 36:26 - 36:28
    the comment box what is the next video
  • 36:28 - 36:31
    you want me to make on forensics i'm
  • 36:31 - 36:33
    very happy to receive your feedbacks by
  • 36:33 - 36:35
    which i can able to improve my video and
  • 36:35 - 36:37
    i'm sure if you're new to my channel do
  • 36:37 - 36:39
    subscribe to my channel and click on the
  • 36:39 - 36:41
    bell icon to make sure you should not
  • 36:41 - 36:43
    miss my future videos on a similar topic
  • 36:43 - 36:45
    and do let me know in the comment box
  • 36:45 - 36:48
    what are the top popular forensic tools
  • 36:48 - 36:49
    from your point of view which can be
  • 36:49 - 36:51
    used for a forensic investigation apart
  • 36:51 - 36:53
    from what is mentioned in the slides
  • 36:53 - 36:55
    thank you for watching my video
  • 36:55 - 36:59
    bye take care
Title:
Introduction to Digital Forensics - Learn the Basics
Description:

more » « less
Video Language:
English
Duration:
36:58

English subtitles

Revisions Compare revisions