-
[Music]
-
hello team welcome to my session on
-
coffee with prab and today we're going
-
to discuss about digital forensics yes
-
it is one of the
-
a great career perspective for the
-
information security professional so i
-
thought i will make one video on digital
-
forensics i am planning to make more
-
videos on digital forensics in future
-
where i am going to discuss about some
-
cases so if you're new to my channel do
-
subscribe to my youtube channel and
-
click on the bell icon to make sure you
-
should not miss my future videos on a
-
similar topic
-
my name is prabhnayar for more
-
information you can refer my linkedin
-
profile so without wasting a time let's
-
start with the first part
-
so instead of starting with what is
-
forensics or digital forensics i thought
-
let me give you a first brief idea about
-
cyber crime okay so when we say word
-
cyber
-
and when we say the word crime what is
-
that
-
when you're talking about cyber cyber is
-
a is a concept of you know cyber is
-
relating to or characteristics of the
-
culture of computers
-
information technology and virtual
-
reality so cyber is related to the
-
network cyber is related to the systems
-
and crime is basically called as an
-
action or omission which constitutes an
-
offense
-
so where computer is involved in
-
committing a crime a computer was used
-
to committing a crime that is basically
-
called as a cyber crime so we have a
-
different kind of an expertise who
-
involved in the cyber crime
-
investigation in layman i can say
-
suppose there is a candidate name is
-
rita
-
one day she received a threatening email
-
that okay i will kill you
-
okay or i will
-
do something bad so this kind of a email
-
rita received now rita what she did she
-
report that issue to the police
-
now what police did police basically
-
contact the cyber team
-
and cyber team basically investigated
-
the email from where the email comes
-
what is the iep address of the email
-
what is the source what is the details
-
so here what happened the computer and
-
their associate details artifacts has
-
been used to identify who sent the
-
threatening email to rita
-
see here the rita has not received any
-
kind of physical threat okay it mean
-
that the person is not standing outside
-
the gate and threatening rita
-
she receive an email which is also an
-
electronic email it is not a postal
-
email it is an electronic email which
-
she receive on an email or in a mailbox
-
so based on the data
-
which is received by rita we have
-
investigated where we identify what can
-
be the sender
-
who is the sender from which ip address
-
this email come then we contact that
-
server then from the server we identify
-
the mail has been sent from this
-
particular ip then we went to that
-
system
-
but problem is that that system is used
-
by multiple people then we check the
-
camera from the camera we identify on
-
that particular time who was sitting on
-
the computer then we took a picture and
-
this is how we have invest he can
-
identify who sent an email to rita
-
okay so this is basically where the
-
computer has been used to identify and
-
track because in this particular
-
condition
-
computer was used as a tool to commit a
-
crime
-
okay
-
so that is called as a cyber crime so
-
when we talking about cyber
-
crime it has a two perspective
-
so in this this in cyber crime the
-
computers are basically involved to
-
compete com uh to commit the crime so
-
question is how one condition is
-
computer is a target now example we have
-
a company which is running a very
-
critical servers every day from this
-
particular server we are generating a
-
thousand dollar business
-
now one of our
-
enemies or one of our competitors they
-
hire hackers and they basically try to
-
shut down the servers because they know
-
very well if the server is basically
-
down it will impact the business it is
-
actually a crime
-
because what you're doing here is you
-
are manipulating my servers you shutting
-
down my servers and which impact my
-
business and it is a loss of money for
-
me so here in a cyber crime computer was
-
used as a target okay so in this case
-
they have targeted my server now here
-
what happened hacker also using his
-
computer
-
in which he using a tool to perform the
-
attack so here the computer was used as
-
a mechanism so that is why in the cyber
-
crime we say that computer as a target
-
where i'm targeting a computer to hack
-
the computer and computer as i use it
-
mean i am using my laptop to commit a
-
crime
-
so that is basically usage of cyber
-
crime now in the cyber crime as if you
-
go by the process we have a multiple
-
type of cyber crime but here i have
-
categorized the cyber crime into three
-
category one is called as a cyber tree
-
pass trespass second is basically called
-
as a cyber deception and third is
-
basically called as a cyber violence so
-
first is basically called as a cyber
-
trespass so cyber trespass is basically
-
referred to act of crossing the
-
boundaries of ownership in online
-
environment or connect
-
with the unauthorized network one
-
example i can give you so this is
-
basically the wi-fi shop we have
-
coffee shop sorry
-
this is the coffee shop we have okay i
-
want to commit i want to send a
-
threatening email to rita definitely if
-
i use my house ip or if i use my house
-
internet to send an email they can able
-
to track the mail came from prep
-
now what happened i went to coffee shop
-
okay i took one coffee
-
and they have a wi-fi but they are not
-
sharing me the username password so i
-
basically try to hack the wi-fi network
-
use a wi-fi network to send an email so
-
here i have used some other organization
-
wi-fi and through that i was trying to
-
hack so that is called as a cyber
-
trespass
-
second is called as a cyber deception
-
cyber deception is basically like a
-
phishing where i'm sending a phishing
-
email to you know collect more and more
-
information about the user like i sent
-
you a phishing email hey you want the
-
lottery and to claim the lottery you
-
need to share your account details and
-
other information so here what happened
-
i have collected your information so
-
that is called as a cyber deception and
-
third is called as a cyber violence now
-
i want to promote uh
-
some social message i want to promote
-
some economic message okay i want to
-
promote some religious message so i know
-
facebook server yahoo server google
-
server is basically receive huge traffic
-
so we hack into those servers and we
-
promote our social economic message that
-
is why sometime you notice whenever you
-
try to browse some website it will
-
redirect to some kind of a social and
-
economic message websites okay so that
-
is basically called as a cyber violence
-
where i have my intention to disrupt the
-
society i have interim should interrupt
-
i have an intention to compromise the
-
society
-
okay like example we have a
-
scada plant we have a
-
ics plant ic stand for industrial
-
control system okay in middle east you
-
can see in the us you can see a lot of
-
machines are controlled by the computers
-
okay so here what we did is we hacked
-
into the computer networks
-
okay and by which we had disrupt their
-
power plants we disrupt their water
-
plant okay live example is i hack into
-
one water plant
-
okay remotely and i increase the
-
chlorine level of the water which
-
basically create more poison which is
-
not very in uh it is where it becomes
-
very injurious for the person to drink
-
so this is how i basically perform the
-
cyber violence so summary is that using
-
someone's wi-fi use a wi-fi and access
-
the things that is called cyber trespass
-
cyber deception is basically a phishing
-
campaign
-
and cyber violence is basically where we
-
are disrupting the networks disrupting
-
the things and it is lead to also
-
someone human life that's like dos
-
attack and ddos attack that is part of
-
the cyber violence
-
so now we're going to discuss about the
-
introduction of the digital forensics
-
because we hire forensic investigators
-
we hire a specialized officers who
-
investigate who perform this attack how
-
this attack happen and and
-
who can be the target what is the motive
-
for them so we have a dedicated team
-
okay in every every country there is a
-
dedicated team who involved in
-
investigating such kind of a computer's
-
crime and that is called as a forensic
-
investigator and that is my agenda in
-
this particular session so let's start
-
with the introduction of digital
-
forensics
-
okay
-
so what is
-
digital forensics so when you're talking
-
about digital and forensic it means
-
doing an investigation for a digital
-
stuff
-
so even you go by the definition digital
-
forensics is a part of forensic science
-
that focus on identifying acquiring
-
processing analyzing and reporting on
-
data stored electronically as i said
-
when rita
-
she receive an email
-
so first we have contact rita and ask
-
for the email
-
and we have identify the email content
-
we identify the email header and from
-
there we got a high level information
-
from which domain the email comes
-
what is the ip addresso server and what
-
is the primary location then we have
-
basically contacted that particular
-
companies and contacted and checked
-
those servers from where the mail has
-
been sent and from there we got ip that
-
was a sender ip was at this particular
-
host ip so here what happened we are
-
identifying the electronic information
-
because if you're talking about general
-
forensic investigation if someone has
-
killed someone
-
so we physically go there and collect
-
the evidence physical evidence but here
-
everything is digital you cannot touch
-
that it is a logical email you cannot
-
touch email is additional data
-
okay so you have to use specialized
-
tools to extract the email understand
-
the data you need to contact the server
-
from where we have sent an email we have
-
to contact that so here we are basically
-
fighting with the systems we are not
-
fighting with the person
-
here we are not identifying on a first
-
stage who which person did that we are
-
identifying which system was basically
-
used to perform this crime because once
-
we identify the system we will get the
-
system owner details or the system user
-
details you're getting a point so if the
-
mail has been sent from cyber cafe at 10
-
15 but that system was used by multiple
-
people right so from there we will
-
involve the camera in the camera it will
-
capture the digital data that at 10 15
-
which person was sitting on that
-
particular system then we will basically
-
contact the person
-
and find out okay why you send this
-
email so here the everything is digital
-
that is why they say identifying the
-
digital data
-
okay acquiring the digital data
-
processing the data for the correlation
-
then analyzing the value and then
-
according to that we do the final report
-
but we have a different type of digital
-
forensics like we have a computer
-
forensics like there was a computer was
-
hacked so we identify who hacked that so
-
there is an investigation involved in
-
computer aspect there was a mobile has
-
been used
-
for the threatening the mobile has been
-
used for sending a whatsapp message the
-
mobile was involved in uh giving a
-
threatening call so we have investigated
-
the mobiles and identified data from
-
there
-
then we have a network forensics someone
-
is basically doing multiple attacks on
-
the networks so we are dumping the
-
firewall locks we are identifying the
-
ids locks intrusion detection systems
-
from there we get a visibility what kind
-
of a traffic is coming in the network
-
from where which is a source is involved
-
so that is called as a network forensics
-
and last but not the least we have a
-
hardware forensics example like we
-
purchase some hardware devices like it
-
can be my mobile as a hardware device
-
okay router as a hardware device a
-
system as a hardware device so sometime
-
what happened
-
sometime it's sometime it's possible
-
that okay uh you know
-
vendor basically embodied a malware in
-
that sometime the user embedding some
-
kind of a trojan in the hardware so we
-
are trying to investigate is this
-
hardware is compromised
-
okay
-
because there is a possibility of
-
hardware is basically compromised then
-
it is a concern for us might be someone
-
has given me one one device with enable
-
with some mic and all that so we need to
-
investigate it is someone has stamped or
-
something else so we have a digital
-
different type of digital forensics okay
-
so this is the introduction we have so
-
now we're going to understand about the
-
forensic investigation process
-
so on a high level different different
-
books
-
talk about different different forensic
-
investigation process
-
so here i have categorized that forensic
-
process in a four stages the first stage
-
is collection second is called as
-
examination third is called as analysis
-
and fourth is called as a reporting let
-
me give an example
-
so suppose this is my internet
-
okay
-
there is a firewall
-
and we have a switch
-
we have a system a
-
we have a system b
-
we have a system c
-
and we have a system d
-
now there is a ip called 1.1.1.1
-
it is attacker ip
-
this ip was able to bypass the firewall
-
and it attack system a it attacks system
-
b it attacks system c and attack system
-
d
-
so we got this confirmation that there
-
was ip was able to penetrate into the
-
firewall and able to hack into the
-
internal network and he was able to or
-
she was able to hack the ip or the
-
particular hacker was able to hack into
-
the multiple system
-
so i want to investigate
-
so here the first step what i did
-
i collected the information from the
-
firewall
-
i collected the information from a
-
system a b c d
-
so that is called as a data collection
-
process now here what happened we have
-
collected all type of data
-
i'm not saying i'm collecting a specific
-
type of data but i have collected the
-
all type of data
-
now second step is called as examination
-
now examination is as i said we have
-
collected all type of data but i want to
-
filter is 1.1.1.1
-
okay because from the firewall we we
-
collected 40 gb data and from all the
-
system overall we collected 40 gb data
-
but there is no need for 40 gb data to
-
work on it so i want to examine
-
so i will basically filtered only 1.1
-
data from this total 80 gb data so i
-
concluded around 2 gb of data which is
-
or 1 gb of data led to the 1.1.1 so that
-
is called as examination it means
-
examination is a process of filtering
-
out the information
-
now once the information is filtered and
-
we limit it to
-
1.1.1.logs then we try to analyze how
-
this even happen
-
okay so that is basically gold to the
-
analysis and finally we basically report
-
so each and every step we're going to
-
discuss in detail okay so step one is
-
collecting a data all type of data we
-
collect we will not miss anything
-
second step is basically called as a
-
examination i will try to correlate all
-
the data related to 1.1.1 if the data is
-
not related to the 1.1.1 i will
-
basically keep aside and then the
-
filtered data which is in the
-
examination stage on that i will do the
-
analysis to see how this entire incident
-
happened
-
and finally we basically called as a
-
reporting
-
so this is basically the parameter we
-
have so we're going to discuss each and
-
every step now in detail
-
one thing you need to remember in the
-
forensic investigation you need to work
-
strongly on the documentation so
-
documentation should be start from the
-
first phase itself
-
okay and make sure you should maintain
-
the accuracy so let's discuss each and
-
every process in detail
-
see when you're talking about first step
-
which is called as a data collection so
-
where we identifying the data source
-
and acquiring the data from them but
-
problem is that how to acquire data so
-
when you're talking about data
-
we have a two type of data team one is
-
called as a volatile
-
and one is called as a non-volatile
-
okay one is called as a volatile and one
-
is called as a non-volatile sorry for my
-
handwriting let me
-
volatile and non-volatile
-
so whenever like as i said we have a
-
system a
-
we have a system a we have a system b we
-
have a system c a
-
b and c
-
and there was a hacker remotely he was
-
able to hack into the system so always
-
remember whenever you're initiating a
-
forensic investigation
-
never ever shut down the system
-
the reason is very simple because if you
-
shut down the system
-
you might lose the last access data
-
last
-
access data which is reside in the
-
memory
-
so one thing is at first disconnect the
-
network
-
it means remove the network cable
-
and in the case of mobile forensics put
-
the phone in a airplane mode do not
-
remove the sim okay don't shut down the
-
phone remove the
-
you know enable the airplane mode
-
okay
-
some people what they do they remove the
-
sim and then they enable the airplane
-
mode if you remove the sim you might
-
lose the memory data
-
so better is keep them keep the same on
-
but
-
enable the airplane mode okay and then
-
do the investigation now when it come to
-
system here like abc was involved in the
-
ransomware attack or
-
they they were hacked remotely by the
-
hacker the first practice is remove the
-
network cable after doing an impact
-
analysis then the second important thing
-
is obtain the volatile data volatile is
-
basically mean a very sensitive data
-
very
-
um
-
it is not a static data it's a dynamic
-
data because if you shut down the system
-
you might lose this data
-
okay if you shut down the system you
-
might lose this data it's a very dynamic
-
data
-
so there is a sequence in which we need
-
to obtain the volatile data first we
-
need to dump the memory because content
-
of memory is basically include your last
-
access file
-
okay open connections and everything
-
then you have to dump the running
-
process then you dump the open file data
-
then you
-
dump the network configuration and then
-
you dump the operating system time
-
so this is the sequence we have in which
-
we need to obtain the data always
-
remember okay but non-volatile is what
-
you shut down the system and you can
-
make a ghost image of that that is
-
called as a non-volatile
-
so always remember whenever you
-
obtaining a data or collecting a data
-
first you should focus on a volatile
-
data and then you have to focus on the
-
non-volatile data
-
now you have collected all kind of
-
information
-
now second step is called as a
-
examination
-
examination is all about involving
-
assessing and extracting a relevant
-
piece of information from the collected
-
data so what we did we collected all
-
kind of information
-
but i need to focus on the particular ip
-
i need to focus on the particular
-
pattern i don't want anything else i
-
just want that important pattern
-
so i will try to extract this respective
-
eyepiece i will try to extract the
-
particular pattern of traffic and what
-
is not relevant i can ignore that so
-
that is basically called as a second
-
step which is called as a examination
-
and then once you basically examine
-
then you will basically try to do the
-
analysis how this incident happened
-
because now you have a filter data so
-
analysis should include identifying
-
people place items even and determining
-
how these elements are related to the
-
conclusion can be reached so that is
-
called as analysis and finally you
-
prepare the complete report so during a
-
reporting you will compile all the data
-
first compile all the incidents compile
-
all the correlations
-
then in the report you should include
-
the tools the tools that you have used
-
because it's very important to give the
-
information to your stakeholder how you
-
have obtained the data okay who was
-
involved in this crime who was involved
-
in this investigation what was their
-
role any issue that occurred during the
-
entire process all challenges you can
-
document in the report like one day what
-
happened i was doing an investigation of
-
a server but i was not able to access
-
directly a server
-
i was not able to access some pi data
-
because of the compliance and legal
-
regulatory requirement so i can notify
-
this in a report that because of the
-
compliance and legal regulatory
-
requirement we failed to obtain the
-
reports
-
so audience consideration need to be
-
considered if you're giving this report
-
to your technical manager definitely the
-
report will be very technical in nature
-
but if you're giving this report to the
-
senior management then remove all the
-
data and talk about only business
-
reporting should also include the
-
actionable information you know what can
-
be done in the future so many forensics
-
instant response team hold the also
-
formal review after the each major event
-
and such review tend to include the
-
serious consideration of possible
-
improvement to guideline and procedure
-
and typically at least some minor
-
changes are approved and implement after
-
the
-
each review so that is basically part of
-
the reporting
-
okay so this is the high level steps we
-
have that we follow
-
now the next thing is called as a chain
-
of custody now what is chain of custody
-
see
-
i have obtained the evidence from this
-
incident scene
-
okay i have obtained the evidence
-
from this particular scene this is the
-
crime scene like hard disk
-
data
-
systems and all that so i am pram
-
okay i have obtained this evidence from
-
this crime scene now i hand over this
-
evidence to
-
my colleague which name is couple
-
okay i couple hand over the evidence to
-
abhishar
-
okay so here what happen sequence we
-
have
-
in which we have handover and because
-
abhishar is the lawyer abhisher is
-
basically representing the forensic team
-
who going to the court and submit this
-
evidence so this is the chain we have
-
followed
-
but
-
make sure there should be one document
-
we need to maintain in which we need to
-
maintain the information about who
-
obtain the evidence who hold the
-
evidence in a current scenario and what
-
was the hash value and that document is
-
called as a chain of custody
-
chain of custody is also talk about the
-
sequence in which we have obtained the
-
evidence
-
okay whatever the first evidence we have
-
obtained that will update in the
-
document what is the second evidence we
-
have obtained document when the evidence
-
is hand over to other person that is
-
document so it document the sequence of
-
the position
-
control transfer analysis and disposal
-
of things including a physical or
-
electronic evidence an important aspect
-
of evidence recording is the
-
chain of custody so here we have item
-
one we have a hard disk we have given
-
the description model number and all
-
that
-
so it is released by prep and received
-
by
-
kapil and we're giving the comment and
-
everything so this kind of a document we
-
have which is attached with the evidence
-
and when we submit the evidence in the
-
code we need to submit this document
-
also
-
so to prove the chain of custody you
-
will need to form the detail how the
-
evidence was handled in every step of
-
the way because one thing is that to
-
testify the crime in the court evidence
-
is the only tool we have evidence is the
-
only substance we have
-
if
-
blah blah blah a person has hacked the
-
email or if the blah blah blah the
-
person send them ill to rita i need an
-
evidence for that so i went to a
-
particular system i got the camera
-
records and from there we able to
-
identify 12 15 that guy is the one who
-
sent an email so we seize the laptop we
-
see the computer of the cyber cafe we
-
took the picture of the of the camera we
-
directly opt in the records from the
-
camera these all are evidence but who
-
opt-in when obtain and when we have
-
transfer that need to document in one
-
paper and that is called as a chain of
-
custody
-
so proof chain of custody all examiner
-
need to prepare to answer the following
-
questions like proof of evidence
-
okay how did you acquire this evidence
-
when was the evidence was gathered and
-
who handled the evidence okay so that
-
that's the point we have
-
but when we talking about good evidence
-
principle
-
let me give you a very good definition
-
of what is evidence so if you go by the
-
oxford dictionary evidence is a noun
-
actually okay now example if someone has
-
physically
-
if someone has killed one person
-
okay one person has killed another
-
person so knife is the evidence
-
fingerprint on the knife is evidence
-
that is okay when it comes to the
-
general forensic investigation but when
-
it comes to a digital forensics
-
everything is data
-
okay camera records camera records ip
-
records ip belong ipa does belong to a
-
particular attacker all these are
-
basically evidence so evidence is the
-
information or sign indicating whether a
-
belief or proposition is true
-
or valid information used here to
-
establish the facts in a legal
-
investigation
-
or admissible in a testimony in the law
-
encode that is what is called as an
-
evidence
-
okay so here i will proposing my system
-
logs here i am proposing the ip log so
-
that is an evidence so evidence is the
-
information which indicate whether
-
belief or proposition is true
-
and information used to establish the
-
facts in a legal investigation or
-
admissible as a testimony in the law
-
code so question is what is our evidence
-
or what is a good evidence principle the
-
first thing is that make a copy of a
-
system
-
see never ever do the investigation or
-
live system always remember suppose we
-
have a server
-
this was the actual server which was
-
hacked so there is no point of doing a
-
live investigation on the server first
-
make a ghost copy
-
okay make a ghost copy and make a copy
-
of the system and then install the copy
-
in another system and do the
-
investigation so that is the thing so
-
question is what kind of a copy so we do
-
the bit by bit copy bit by bit copy is a
-
great copy in which it will capture your
-
deleted files it will capture your slack
-
space
-
it capture your all the unhidden files
-
and everything so we always prefer
-
whenever you creating a copy of any
-
server copy of any desktop go for the
-
bit by bit basis not a file by file
-
basis
-
and the media in which you're making a
-
ghost image making a copy of the system
-
that should have a right blocker that
-
should have a right blocker disk
-
write
-
blocker
-
disk
-
make sure secure the original and work
-
on the copy and document everything
-
whether small too small or big to big
-
and do your best to collect data in an
-
order of volatility which we discussed
-
right first we dump the memory data then
-
network connections and all that so that
-
is a good evidence principle we have
-
so whenever you drive any kind of
-
investigation strategy we have some
-
parameters to be understand the first is
-
that understand the investigation
-
objectives and timeline there are a lot
-
of investigators okay what they do when
-
they drive any kind of investigation
-
without doing any analysis they start
-
the investigation they don't understand
-
the intent of the crime they don't
-
understand the motive of the hacker they
-
don't understand the
-
purpose of the crime so it is very
-
important whenever you plan your
-
investigation understand the objectives
-
what is your timeline what is the intent
-
okay second is make the list of
-
resources that you want for the
-
investigation
-
according to the skill set only take the
-
forensic investigators with you now
-
example like there was a enterprise
-
which got hacked and in that enterprise
-
they're using apple mac so we need some
-
forensic investigator who good in mac
-
there's no point of taking a windows
-
forensic investigator because we have a
-
different way to do the forensic
-
investigation in the windows we have a
-
different way of doing a forensic
-
investigation the linux we have a
-
different way to doing a forensic
-
investigation in the
-
unix or we have a different forensic
-
investigation process we have in the
-
network so make sure after understanding
-
the objective and have a clarity about
-
what is happening according to that you
-
need to plan the resource even the tools
-
is also different
-
for windows we have a great tool which
-
cannot be a good in linux we have a good
-
tools and linux which cannot be great in
-
windows so make sure you should
-
understand the things and according to
-
that plan the resources 90 of the
-
forensic teams
-
to literally miserable on the second
-
part
-
they do lot of mistake
-
third is identify the potential evidence
-
source because that is how you can able
-
to establish the crime parameters
-
hacking
-
like if the hacking initiated from a
-
particular laptop identifying ip is the
-
most important priority for us at the
-
first stage then second stage we need to
-
check who is the user who use the laptop
-
so it is very important to identify the
-
potential evidence source and make sure
-
when you're
-
looking for the evidence source look for
-
the authenticity third is estimate the
-
value and expense of getting so each
-
source of evidence it's very important i
-
got one evidence directly from a server
-
which got hacked and i got one evidence
-
which is provided by system
-
administrator definitely i will trust
-
that evidence which is directly obtained
-
from the server
-
so we need to estimate the value so
-
sometimes we have a direct evidence and
-
sometimes we have indirect evidence okay
-
like someone told me that guy was
-
sitting on the system that is called as
-
an indirect evidence but we have a
-
camera locks we talk about that day the
-
person is sit on the system and did the
-
hacking from there so that is called as
-
a direct evidence
-
prioritize your evidence gathering what
-
is the important need what is need to be
-
reviewed later so that is another
-
important thing we have
-
and make a plan for first acquisition
-
instead of directly investigating and
-
all that your 20 to 30 percent of
-
priorities in a first stage when you
-
acquiring a data because your entire
-
investigation is depending upon the
-
acquisition of a data if you acquire the
-
wrong data based on that you do the
-
wrong action based on wrong action you
-
will take the wrong decisions and the
-
wrong person will feel guilty so it's
-
very important whatever you're doing in
-
in the during a time of acquisition you
-
should be thoroughly understand the
-
things make sure you obtain the accurate
-
data
-
so this will be your investigation
-
strategy we have when you deal with any
-
kind of a crime scene
-
so now there are some technical tools
-
are basically used in a digital
-
forensics so that we're going to discuss
-
in the next part
-
okay so now we're going to discuss about
-
the different type of tools which is
-
used in the forensic additional forensic
-
investigation so one of the first tool
-
we called as a swift workstation i'm
-
sure you heard about kali linux now when
-
you install the kali linux okay in any
-
system
-
it install with multiple tools it is
-
like os right and within that os you can
-
see the multiple further pen testing or
-
secure testing tools same like swift is
-
like a workstation
-
their image is available you can
-
download you can mount you can run that
-
system and that that utilities this this
-
workstation is basically include the
-
multiple tools okay
-
so it is one of the popular one which is
-
used for a forensic investigation
-
and
-
it also consists several open source
-
instant response tools also within that
-
workstation and one of the important
-
feature of the swift
-
toolkit is that it
-
has some utilities which is used to
-
examine the raw disk
-
okay able to understand the multiple
-
file system so example we are running a
-
system a we are running a system b and
-
we are running a system c
-
so system a is running with windows
-
system b is learning with linux and
-
system c running with mac
-
each and every system is running with a
-
different file system so i installed the
-
swift workstation on this system
-
which is my laptop i'm an investigator
-
and and then i basically connect with
-
the systems and extract the data from
-
there
-
so or i can basically do boot my system
-
a boot uh this particular system with a
-
swift workstation has a live cd and i
-
can able to investigate these systems
-
easily so for me
-
investigating of a different file system
-
will not be the challenge
-
and
-
second toolkit that we using is ftk
-
which is from the company called access
-
data so that that toolkit uh one of the
-
important tool in the toolkit is called
-
as a ftk e major so when we say ftk
-
imager between that we have a system a
-
we have a system b we have a system c so
-
this was the system which is hacked
-
remotely
-
okay so i want to make a ghost copy of
-
the system i want to make a copy of the
-
system because we cannot do the
-
investigation on the live system so how
-
to do that in that case popular tool we
-
are using is ftk imager so with the help
-
of ftk imager we can able to create a
-
image of the complete system and then i
-
can basically copy that image or
-
mount that image in other system and
-
then i will do the further investigation
-
on that system so these are the one of
-
the popular tool we have
-
along with that we also have another one
-
which is called as a digital evidence
-
forensic toolkit it is a well popular in
-
that in a intelligence
-
government activities so and the reason
-
is that they have a
-
they have some tools which having a
-
capability to open the encrypted files
-
also
-
and able to recover the deleted data
-
okay so that is why it is one of the
-
popular utility we have which is
-
recommended by the different enforcement
-
agencies also okay
-
but when we dealing with the different
-
type of
-
uh
-
data okay we need to make a image of the
-
system or we have a different type of
-
extensions of the files so one of the
-
popular extensions we have is dd
-
dd called as a data duplication so it is
-
also come with a dd utility which is
-
used to copy
-
the linux system and then we can you
-
create an image and i can dump the image
-
i can mount the image in other system
-
and do the investigation so dd is
-
another
-
type of file we have then we have a aff
-
file format that is basically used in a
-
forensic investigation
-
so it is extensible open format for the
-
storage of disk image
-
and it was created to be an open and
-
extensible file format to store disk
-
image and associate metadata
-
so aff has a goal to create a disk image
-
format that would not lock the user into
-
proprietary format that may limit how or
-
she may able to analyze that and today
-
it is a preferred tool for your in
-
gathering intelligence and resolving the
-
security incident it mean if you make a
-
ghost image if you make an image in a ff
-
format suppose you make a copy of the
-
system in afa format so in that case we
-
can use this aff utility with multiple
-
forensic tools
-
we also have other different type of
-
image like raw image which is basically
-
do the bit by bit copy and the great
-
advantage of bit by bit copy it will
-
capture the entire disk
-
entire volume without any deletion or
-
add addition and raw image format was
-
used by the dd also but nowadays
-
multiple forensics application also
-
support that it mean if we have a system
-
a system b and system c when i make a
-
copy of the system and the image is raw
-
image
-
so that raw image can be used by
-
multiple forensic tool because when we
-
need to do the investigation on the
-
system definitely we are not doing an
-
investigation the live system so we
-
mount the image which is created from a
-
system and tool will read the image and
-
according to that do the investigation
-
we also have other extension like dmp
-
dump crash mem femem and mdmp so this is
-
more like a memory dump data
-
so sometime when we need to review the
-
memory and all that these are the
-
extensions in which we basically save a
-
file we also have a binary dumps for the
-
memory which called as a dot bi and dat
-
file unallocated re rec data or binary
-
so this is also is very useful when we
-
need to investigate the open files and
-
everything sometime if you want to
-
investigate the virtual machine we have
-
extension called vmdk
-
and when the ftk tool is creating image
-
they store the image in this particular
-
format
-
so this is all from my site team if you
-
find this video useful do let me know in
-
the comment box what is the next video
-
you want me to make on forensics i'm
-
very happy to receive your feedbacks by
-
which i can able to improve my video and
-
i'm sure if you're new to my channel do
-
subscribe to my channel and click on the
-
bell icon to make sure you should not
-
miss my future videos on a similar topic
-
and do let me know in the comment box
-
what are the top popular forensic tools
-
from your point of view which can be
-
used for a forensic investigation apart
-
from what is mentioned in the slides
-
thank you for watching my video
-
bye take care