-
[Music]
-
Hello team, welcome to my session on
-
coffee with Prabh, and today we're going
-
to discuss about digital forensics. Yes,
-
it is one of the,
-
a great career perspective for the
-
information security professional so I
-
thought I will make one video on digital
-
forensics. I am planning to make more
-
videos on digital forensics in future
-
where I am going to discuss about some
-
cases, so if you're new to my channel, do
-
subscribe to my youtube channel, and
-
click on the bell icon to make sure you
-
should not miss my future videos on a
-
similar topic.
-
My name is Prabh Nair, for more
-
information you can refer my LinkedIn
-
profile, so without wasting a time, let's
-
start with the first part.
-
So instead of starting with what is
-
forensics or digital forensics, I thought
-
let me give you a first brief idea about
-
cyber crime. Okay, so when we say word
-
cyber,
-
and when we say the word crime, what is
-
that?
-
When you're talking about cyber, cyber is
-
a concept of, you know, cyber is
-
relating to or characteristics of the
-
culture of computers,
-
information technology, and virtual
-
reality. So cyber is related to the
-
network, cyber is related to the systems.
-
And crime is basically called as an
-
action or omission which constitutes an
-
offense.
-
So where computer is involved in
-
committing a crime, a computer was used
-
to committing a crime, that is basically
-
called as a cyber crime. So we have a
-
different kind of an expertise who
-
involved in the cyber crime
-
investigation. In layman, I can say
-
suppose there is a candidate name is
-
Rita.
-
One day she received a threatening email
-
that okay, I will kill you.
-
Okay or I will
-
do something bad. So this kind of a email
-
Rita received. Now Rita, what she did, she
-
report that issue to the police.
-
Now what police did, police basically
-
contact the cyber team.
-
And cyber team basically investigated
-
the email from where the email comes,
-
what is the IP address of the email,
-
what is the source, what is the details.
-
So here what happened, the computer and
-
their associate details, artifacts has
-
been used to identify who sent the
-
threatening email to Rita.
-
See here that Rita has not received any
-
kind of physical threat, okay? I mean
-
that the person is not standing outside
-
the gate and threatening Rita.
-
She received an email which is also a
-
electronic email, it is not a postal
-
email, it is an electronic email which
-
she received on a email or in a mailbox.
-
So based on the data
-
which is received by Rita, we have
-
investigated where we identify what can
-
be the sender,
-
who is the sender, from which IP address
-
this email come, then we contact that
-
server. Then from the server we identify
-
the mail has been sent from this
-
particular IP, then we went to that
-
system,
-
but problem is that that system is used
-
by multiple people. Then we check the
-
camera. From the camera we identify on
-
that particular time who was sitting on
-
the computer then we took a picture and
-
this is how we have investigated,
-
identify who sent an email to Rita.
-
Okay so this is basically where the
-
computer has been used to identify and
-
track because in this particular
-
condition,
-
computer was used as a tool to commit a
-
crime,
-
okay?
-
So that is called as a cyber crime. So
-
when we're talking about cyber
-
crime, it has a two perspective.
-
So in this, in cyber crime the
-
computers are basically involved to
-
commit the crime, so
-
question is how? One condition is
-
computer is a target. Now example, we have
-
a company which is running a very
-
critical servers. Every day from this
-
particular server we are generating a
-
thousand dollar business.
-
Now one of our
-
enemies or one of our competitors, they
-
hire hackers and they basically try to
-
shut down the servers because they know
-
very well if the server is basically
-
down, it will impact the business. It is
-
actually a crime
-
because what you're doing here is you
-
are manipulating my servers, you shutting
-
down my servers, and which impact my
-
business, and it is a loss of money for
-
me. So here in a cyber crime computer was
-
used as a target. Okay, so in this case
-
they have targeted my server. Now here
-
what happened, hacker also using his
-
computer
-
in which he using a tool to perform the
-
attack, so here the computer was used as
-
a mechanism. So that is why in the cyber
-
crime we say that computer as a target
-
where I'm targeting a computer to hack
-
the computer, and computer as a use, I
-
mean I am using my laptop to commit a
-
crime.
-
So that is basically usage of cyber
-
crime. Now in the cyber crime, if you
-
go by the process we have a multiple
-
type of cyber crime, but here I have
-
categorized the cyber crime into three
-
category. One is called as a cyber-
-
trespass, second is basically called
-
as a cyber-deception, and third is
-
basically called as a cyber-violence. So
-
first is basically called as a cyber
-
trespass. So cyber trespass is basically
-
referred to act of crossing the
-
boundaries of ownership in online
-
environment or connect
-
with the unauthorized network. One
-
example I can give you, so this is
-
basically the Wi-Fi shop we have.
-
Coffee shop, sorry.
-
This is the coffee shop we have. Okay, I
-
want to commit, I want to send a
-
threatening email to Rita. Definitely if
-
I use my house IP or if I use my house
-
internet to send an email, they can able
-
to track the mail came from Prabh.
-
Now what happened, I went to coffee shop.
-
Okay, I took one coffee.
-
And they have Wi-Fi but they're not
-
sharing me the user and password, so I
-
basically try to hack the Wi-Fi network,
-
use the Wi-Fi network to send an email, so
-
here I have used some other organization
-
Wi-Fi, and through that I was trying to
-
hack so that is called as a cyber
-
trespass.
-
Second is called as a cyber deception.
-
Cyber deception is basically like a
-
phishing where I'm sending a phishing
-
email to, you know, collect more and more
-
information about the user, like I sent
-
you a phishing email, hey you won the
-
lottery, and to claim the lottery, you
-
need to share your account details and
-
other information. So here what happened,
-
I have collected your information so
-
that is called as a cyber deception. And
-
third is called as a cyber violence. Now
-
I want to promote
-
some social message, I want to promote
-
some economic message, okay? I want to
-
promote some religious message. So I know
-
Facebook server, Yahoo server, Google
-
server is basically receive huge traffic,
-
so we hack into those servers and we
-
promote our social economic message. That
-
is why sometime you notice whenever you
-
try to browse some website, it will
-
redirect to some kind of a social and
-
economic message websites. Okay, so that
-
is basically called as a cyber violence
-
where I have my intention to disrupt the
-
society, I have intention to interrupt,
-
I have an intention to compromise the
-
society.
-
Okay, like example, we have a
-
SCADA plant, we have a
-
ICS plant, ICS stand for industrial
-
control system. Okay, in Middle East you
-
can see, in the US you can see lot of
-
machines are controlled by the computers.
-
Okay, so here what we did is we hack
-
into the computer networks,
-
okay, and by which we had disrupt their
-
power plants, we disrupt their water
-
plant, okay? Live example is I hack into
-
one water plant,
-
okay, remotely, and I increase the
-
chlorine level of the water which
-
basically create more poison which is
-
not very, it has become
-
very injurious for the person to drink.
-
So this is how I basically perform the
-
cyber violence. So summary is that using
-
someone's Wi-Fi, use the Wi-Fi and access
-
the things that is called cyber trespass.
-
Cyber deception is basically a phishing
-
campaign,
-
and cyber violence is basically where we
-
are disrupting the networks, disrupting
-
the things, and it is lead to also
-
someone human life. That's like DoS
-
attack and DDoS attack, that is part of
-
the cyber violence.
-
So now we're going to discuss about the
-
introduction of the digital forensics
-
because we hire forensic investigators,
-
we hire our specialized officers who
-
investigate who perform this attack, how
-
this attack happen, and
-
who can be the target, what is the motive
-
for them, so we have a dedicated team.
-
Okay, in every country there is a
-
dedicated team who involved in
-
investigating such kind of a computer's
-
crime, and that is called as a forensic
-
investigator, and that is my agenda in
-
this particular session, so let's start
-
with the introduction of digital
-
forensics.
-
Okay.
-
So what is
-
digital forensics? So when you're talking
-
about digital and forensic, it means
-
doing an investigation for a digital
-
stuff.
-
So even you go by the definition, digital
-
forensics is a part of forensic science
-
that focus on identifying, acquiring,
-
processing, analyzing, and reporting on
-
data stored electronically. As I said
-
when Rita,
-
she receive an email.
-
So first, we have contact rita and ask
-
for the email.
-
And we have identify the email content,
-
we identify the email header, and from
-
there we got a high level information
-
from which domain the email comes,
-
what is the IP address or server, and what
-
is the primary location. Then we have
-
basically contacted that particular
-
companies, and contacted and checked
-
those servers from where the mail has
-
been sent. And from there we got a IP that
-
was a sender IP was at this particular
-
host IP. So here what happened, we are
-
identifying the electronic information
-
because if you're talking about general
-
forensic investigation, if someone has
-
killed someone,
-
so we physically go there and collect
-
the evidence, physical evidence, but here
-
everything is digital, you cannot touch
-
that, it is illogical. Email you cannot
-
touch, email is a digital data.
-
Okay, so you have to use specialized
-
tools to extract the email, understand
-
the data, you need to contact the server
-
from where we have sent an email, we have
-
to contact that. So here we are basically
-
fighting with the systems, we are not
-
fighting with the person.
-
Here we are not identifying on a first
-
stage who, which person did that. We are
-
identifying which system was basically
-
used to perform this crime because once
-
we identify the system, we will get the
-
system owner details or the system user
-
details. You're getting a point. So if the
-
mail has been sent from cyber cafe at 10:15,
-
but that system was used by multiple
-
people, right? So from there we will
-
involve the camera, in the camera it will
-
capture the digital data that at 10:15
-
which person was sitting on that
-
particular system, then we will basically
-
contact the person
-
and find out, okay, why you send this
-
email? So here the everything is digital
-
that is why they say identifying the
-
digital data,
-
okay? Acquiring the digital data,
-
processing the data for the correlation,
-
then analyzing the value, and then
-
according to that we do the final report.
-
But we have a different type of digital
-
forensics, like we have a computer
-
forensics, like there was a computer was
-
hacked, so we identify who hacked that so
-
there is an investigation involved in
-
computer aspect. There was a mobile has
-
been used
-
for the threatening, the mobile has been
-
used for sending a Whatsapp message, the
-
mobile was involved in giving a
-
threatening call so we have investigated
-
the mobiles and identified data from
-
there.
-
Then we have a network forensics, someone
-
is basically doing multiple attacks on
-
the networks, so we are dumping the
-
firewall locks we are identifying the
-
IDS locks, intrusion detection systems.
-
From there we get a visibility, what kind
-
of a traffic is coming in the network,
-
from where, which is a source is involved,
-
so that is called as a network forensics.
-
And last but not the least, we have a
-
hardware forensics. Example, like we
-
purchase some hardware devices like it
-
can be my mobile as a hardware device,
-
okay, router as a hardware device, a
-
system as a hardware device, so sometime
-
what happened,
-
sometime it's possible
-
that okay, you know,
-
[inaudible] basically embedded a malware in
-
that. Sometime the user embedding some
-
kind of a trojan in the hardware, so we
-
are trying to investigate is this
-
hardware is compromised,
-
okay,
-
because there is a possibility of
-
hardware is basically compromised, then
-
it is a concern for us. Might be someone
-
has given me one device with enable
-
with some mic and all that, so we need to
-
investigate it is someone has tampered or
-
something else. So we have a digital,
-
different type of digital forensics, okay?
-
So this is the introduction we have, so
-
now we're going to understand about the
-
forensic investigation process.
-
So on a high level different, different
-
books
-
talk about different, different forensic
-
investigation process.
-
So here, I have categorized that forensic
-
process in a four stages. The first stage
-
is collection, second is called as a
-
examination, third is called as analysis,
-
and fourth is called as a reporting. Let
-
me give an example,
-
so suppose this is my internet.
-
Okay.
-
There is a firewall
-
and we have a switch.
-
We have a system a.
-
We have a system b.
-
We have a system c.
-
And we have a system d.
-
Now there is a IP called 1.1.1.1,
-
it is attacker IP.
-
This IP was able to bypass the firewall
-
and it attack system a, it attack system
-
b, it attack system c, and attack system
-
d.
-
So we got this confirmation that there
-
was a IP was able to penetrate into the
-
firewall and able to hack into the
-
internal network, and he was able to or
-
she was able to hack the IP, or the
-
particular hacker was able to hack into
-
the multiple system.
-
So I want to investigate.
-
So here the first step what I did,
-
I collected the information from the
-
firewall.
-
I collected the information from a
-
system a, b, c, d.
-
So that is called as a data collection
-
process. Now here what happened, we have
-
collected all type of data.
-
I'm not saying I'm collecting a specific
-
type of data, but I have collected the
-
all type of data.
-
Now second step is called as examination.
-
Now examination is, as I said, we have
-
collected all type of data, but I want to
-
filter is 1.1.1.1,
-
okay, because from the firewall we
-
collected 40 gb data and from all the
-
system overall we collected 40 gb data,
-
but there is no need for 40 gb data to
-
work on it, so I want to examine.
-
So I will basically filtered only 1.1
-
data from this total 80 gb data, so I
-
concluded around 2 gb of data which is
-
or 1 gb of data led to the 1.1.1, so that
-
is called as examination. It mean
-
examination is a process of filtering
-
out the information.
-
Now once the information is filtered and
-
we limit it to
-
1.1.1. logs, then we try to analyze how
-
this even happen.
-
Okay so that is basically goal to the
-
analysis, and finally we basically report.
-
So each and every step we're going to
-
discuss in detail. Okay so step one is
-
collecting a data, all type of data we
-
collect, we will not miss anything.
-
Second step is basically called as a
-
examination. I will try to correlate all
-
the data related to 1.1.1, if the data is
-
not related to the 1.1.1, I will
-
basically keep aside, and then the
-
filtered data which is did in the
-
examination stage, on that I will do the
-
analysis to see how this entire incident
-
happened.
-
And finally, we basically called as a
-
reporting.
-
So this is basically the parameter we
-
have, so we're going to discuss each and
-
every step now in detail.
-
One thing you need to remember in the
-
forensic investigation, you need to work
-
strongly on the documentation. So
-
documentation should be start from the
-
first phase itself,
-
okay? And make sure you should maintain
-
the accuracy. So let's discuss each and
-
every process in detail.
-
See when you're talking about first step
-
which is called as a data collection, so
-
where we identifying the data source
-
and acquiring the data from them, but
-
problem is that how to acquire data? So
-
when you're talking about data,
-
we have a two type of data team. One is
-
called as a volatile,
-
and one is called as a non-volatile.
-
Okay, one is called as a volatile and one
-
is called as a non-volatile, sorry for my
-
handwriting, let me-
-
Volatile and non-volatile.
-
So whenever, like as I said, we have a
-
system A.
-
We have a system A, we have a system B, we
-
have a system C. A,
-
B, and C.
-
And there was a hacker, remotely he was
-
able to hack into the system. So always
-
remember whenever you're initiating a
-
forensic investigation,
-
never ever shut down the system.
-
The reason is very simple because if you
-
shut down the system
-
you might lose the last access data.
-
Last
-
access data which is reside in the
-
memory.
-
So one thing is at first disconnect the
-
network.
-
It means remove the network cable
-
and in the case of mobile forensics, put
-
the phone in a airplane mode. Do not
-
remove the SIM, okay? Don't shut down the
-
phone, remove the-
-
you know, enable the airplane mode,
-
okay?
-
Some people what they do they remove the
-
SIM and then they enable the airplane
-
mode, no. If you remove the SIM, you might
-
lose the memory data.
-
So better is keep the SIM on,
-
but
-
enable the airplane mode, okay, and then
-
do the investigation. Now when it come to
-
system here like A, B, C, it was involved in the
-
ransomware attack or
-
they were hacked remotely by the
-
hacker, the first practice is remove the
-
network cable after doing an impact
-
analysis. Then the second important thing
-
is obtain the volatile data. Volatile is
-
basically mean a very sensitive data.
-
It is not a static data, it's a dynamic
-
data because if you shut down the system
-
you might lose this data.
-
Okay, if you shut down the system you
-
might lose this data, it's a very dynamic
-
data.
-
So there is a sequence in which we need
-
to obtain the volatile data. First, we
-
need to dump the memory because content
-
of memory is basically include your last
-
access file,
-
okay, open connections, and everything.
-
Then you have to dump the running
-
process, then you dump the open file data,
-
then you
-
dump the network configuration, and then
-
you dump the operating system time.
-
So this is the sequence we have in which
-
we need to obtain the data, always
-
remember, okay. But non-volatile is what,
-
you shut down the system and you can
-
make a ghost image of that, that is
-
called as a non-volatile.
-
So always remember whenever you
-
obtaining a data or collecting a data,
-
first you should focus on volatile
-
data and then you have to focus on the
-
non-volatile data.
-
Now you have collected all kind of
-
information.
-
Now second step is called as a
-
examination.
-
Examination is all about involving,
-
assessing, and extracting a relevant
-
piece of information from the collected
-
data. So what we did, we collected all
-
kind of information,
-
but I need to focus on the particular IP.
-
I need to focus on the particular
-
pattern. I don't want anything else, I
-
just want that important pattern,
-
so I will try to extract the respective
-
IP's, I will try to extract the
-
particular pattern of traffic, and what
-
is not relevant, I can ignore that. So
-
that is basically called as a second
-
step which is called as a examination.
-
And then once you basically examine,
-
then you will basically try to do the
-
analysis, how this incident happened,
-
because now you have a filter data, so
-
analysis should include identifying
-
people, place, items, even and determining
-
how these elements are related to the
-
conclusion can be reached, so that is
-
called as analysis. And finally, you
-
prepare the complete report. So during a
-
reporting, you will compile all the data
-
first. Compile all the incidents, compile
-
all the correlations,
-
then in the report you should include
-
the tools, the tools that you have used
-
because it's very important to give the
-
information to your stakeholder how you
-
have obtained the data, okay. Who was
-
involved in this crime, who was involved
-
in this investigation, what was their
-
role, any issue that occurred during the
-
entire process, all challenges you can
-
document in the report. Like one day what
-
happened, I was doing an investigation of
-
a server, but I was not able to access
-
directly a server.
-
I was not able to access some IP data
-
because of the compliance and legal
-
regulatory requirement, so I can notify
-
this in a report that because of the
-
compliance and legal regulatory
-
requirement we failed to obtain the
-
reports.
-
So audience consideration need to be
-
considered. If you're giving this report
-
to your technical manager, definitely the
-
report will be very technical in nature,
-
but if you're giving this report to the
-
senior management, then remove all the
-
data and talk about only business.
-
Reporting should also include the
-
actionable information, you know, what can
-
be done in the future. So many forensics
-
instant response team hold the also
-
formal review after the each major event,
-
and such review tend to include the
-
serious consideration of possible
-
improvement to guideline and procedure,
-
and typically at least some minor
-
changes are approved and implement after
-
the
-
each review, so that is basically part of
-
the reporting.
-
Okay so this is the high level steps we
-
have that we follow.
-
Now the next thing is called as a chain
-
of custody. Now what is chain of custody?
-
See,
-
I have obtained the evidence from this
-
incident scene.
-
Okay, I have obtained the evidence
-
from this particular scene, this is the
-
crime scene. Like hard disk,
-
data,
-
systems, and all that. So I am Prabh Nair.
-
Okay, I have obtained this evidence from
-
this crime scene. Now I hand over this
-
evidence to
-
my colleague which name is Kappil.
-
Okay, Kappil hand over the evidence to
-
Abhishar.
-
Okay so here what happen, sequence we
-
have
-
in which we have handover, and because
-
Abhishar is the lawyer, Abhisher is
-
basically representing the forensic team
-
who going to the court and submit this
-
evidence. So this is the chain we have
-
followed,
-
but
-
make sure there should be one document
-
we need to maintain in which we need to
-
maintain the information about who
-
obtain the evidence, who hold the
-
evidence in a current scenario, and what
-
was the hash value, and that document is
-
called as a chain of custody.
-
Chain of custody is also talk about the
-
sequence in which we have obtained the
-
evidence.
-
Okay, whatever the first evidence we have
-
obtained I will update in the
-
document, what is the second evidence we
-
have obtained, document. When the evidence
-
is hand over to other person that is
-
document. So document the sequence of
-
the position,
-
control, transfer, analysis, and disposal
-
of things including a physical or
-
electronic evidence. An important aspect
-
of evidence recording is the
-
chain of custody, so here we have item
-
one, we have a hard disk, we have given
-
the description model number, and all
-
that.
-
So it is released by Prabh and received
-
by
-
Kapil, and we're giving the comment and
-
everything, so this kind of a document we
-
have which is attached with the evidence,
-
and when we submit the evidence in the
-
code, we need to submit this document
-
also.
-
So to prove the chain of custody, you
-
will need to form that detail how the
-
evidence was handled in every step of
-
the way because one thing is that to
-
testify the crime in the court, evidence
-
is the only tool we have. Evidence is the
-
only substance we have.
-
If
-
blah blah blah person has hacked the
-
email, or if the blah blah blah the
-
person send the email to Rita, I need an
-
evidence for that, so I went to a
-
particular system, I got the camera
-
records, and from there we able to
-
identify at 12:15, that guy is the one who
-
sent an email, so we seize the laptop, we
-
seize the computer of the cyber cafe, we
-
took the picture of the camera, we
-
directly opt in the records from the
-
camera, these all are evidence, but who
-
opt-in when obtain and when we have
-
transfer that need to document in one
-
paper and that is called as a chain of
-
custody.
-
So prove chain of custody, all examiner
-
need to prepare to answer the following
-
questions like proof of evidence.
-
Okay how did you acquire this evidence?
-
When was the evidence was gathered? And
-
who handled the evidence? Okay so that
-
that's a point we have.
-
But when we talking about good evidence
-
principle,
-
let me give you a very good definition
-
of what is evidence. So if you go by the
-
Oxford Dictionary, evidence is a noun,
-
actually. Okay now example, if someone has
-
physically,
-
if someone has killed one person,
-
okay, one person has killed another
-
person. So knife is the evidence,
-
fingerprint on the knife is evidence.
-
That is okay when it comes to the
-
general forensic investigation, but when
-
it comes to a digital forensics
-
everything is data.
-
Okay, camera records, IP
-
records, IP does belong to a
-
particular attacker, all these are
-
basically evidence. So evidence is the
-
information or sign indicating whether a
-
belief or proposition is true
-
or valid. Information used here to
-
establish the facts in a legal
-
investigation
-
or admissible in a testimony in the law
-
in court. That is what is called as an
-
evidence.
-
Okay, so here I will proposing my system
-
logs, here I am proposing the IP logs, so
-
that is an evidence. So evidence is the
-
information which indicate whether
-
belief or proposition is true,
-
and information used to establish the
-
facts in a legal investigation or
-
admissible as a testimony in the law
-
of court. So question is, what is a evidence
-
or what is a good evidence principle? The
-
first thing is that make a copy of a
-
system.
-
See never ever do the investigation with a
-
live system, always remember. Suppose we
-
have a server.
-
This was the actual server which was
-
hacked, so there is no point of doing a
-
live investigation on the server. First,
-
make a ghost copy.
-
Okay, make a ghost copy, and make a copy
-
of the system, and then install the copy
-
in another system, and do the
-
investigation so that is the thing. So
-
question is what kind of a copy, so we do
-
the bit by bit copy. Bit by bit copy is a
-
great copy in which it will capture your
-
deleted files, it will capture your slack
-
space,
-
it capture your all the unhidden files,
-
and everything. So we always prefer
-
whenever you creating a copy of any
-
server, copy of any desktop, go for the
-
bit by bit basis, not a file by file
-
basis.
-
And the media in which you're making a
-
ghost image, making a copy of the system,
-
that should have a write blocker, that
-
should have a write blocker disk.
-
Write
-
blocker
-
disk.
-
Make sure secure the original and work
-
on the copy, and document everything,
-
whether small, too small, or big, too big,
-
and do your best to collect data in an
-
order of volatility which we discussed,
-
right? First, we dump the memory data, then
-
network connections, and all that. So that
-
is a good evidence principle we have.
-
So whenever you drive any kind of
-
investigation strategy, we have some
-
parameters to be understand. The first is
-
that understand the investigation
-
objectives and timeline. There are a lot
-
of investigators, okay, what they do when
-
they drive any kind of investigation
-
without doing any analysis, they start
-
the investigation. They don't understand
-
the intent of the crime, they don't
-
understand the motive of the hacker, they
-
don't understand the
-
purpose of the crime. So it is very
-
important whenever you plan your
-
investigation, understand the objectives.
-
What is your timeline? What is the intent?
-
Okay, second is make the list of
-
resources that you want for the
-
investigation.
-
According to the skill set only take the
-
forensic investigators with you. Now
-
example, like there was a enterprise
-
which got hacked, and in that enterprise
-
they're using a Apple Mac, so we need some
-
forensic investigator who good in Mac.
-
There's no point of taking a Windows
-
forensic investigator because we have a
-
different way to do the forensic
-
investigation in the Windows. We have a
-
different way of doing a forensic
-
investigation the Linux, we have a
-
different way to doing a forensic
-
investigation in the
-
Unix, or we have a different forensic
-
investigation process we have in the
-
Network. So make sure after understanding
-
the objective and have a clarity about
-
what is happening, according to that, you
-
need to plan the resource. Even the tools
-
is also different.
-
For Windows, we have a great tool which
-
cannot be a good in Linux. We have a good
-
tools in Linux which cannot be great in
-
Windows, so make sure you should
-
understand the things and according to
-
that plan the resources. 90% of the
-
forensic teams
-
do literally miserable on the second
-
part.
-
They do lot of mistake.
-
Third is identify the potential evidence
-
source because that is how you can able
-
to establish the crime parameters.
-
Hacking,
-
like if the hacking initiated from a
-
particular laptop, identifying IP is the
-
most important priority for us at the
-
first stage. Then second stage, we need to
-
check who is the user who use the laptop.
-
So it is very important to identify the
-
potential evidence source, and make sure
-
when you're
-
looking for the evidence source, look for
-
the authenticity. Third is estimate the
-
value and expense of getting so each
-
source of evidence, it's very important. I
-
got one evidence directly from a server
-
which got hacked, and I got one evidence
-
which is provided by system
-
administrator. Definitely I will trust
-
that evidence which is directly obtained
-
from the server.
-
So we need to estimate the value, so
-
sometimes we have a direct evidence and
-
sometimes we have indirect evidence. Okay,
-
like someone told me that guy was
-
sitting on the system that is called as
-
an indirect evidence, but we have a
-
camera logs which talk about that day the
-
person is sit on the system and did the
-
hacking from there, so that is called as
-
a direct evidence.
-
Prioritize your evidence gathering, what
-
is the important need, what is need to be
-
reviewed later, so that is another
-
important thing we have.
-
And make a plan for first acquisition.
-
Instead of directly investigating and
-
all that, your 20 to 30 percent of
-
priorities in a first stage when you
-
acquiring a data because your entire
-
investigation is depending upon the
-
acquisition of a data. If you acquire the
-
wrong data, based on that you do the
-
wrong action, based on wrong action you
-
will take the wrong decisions, and the
-
wrong person will feel guilty. So it's
-
very important whatever you're doing
-
in the during a time of acquisition, you
-
should be thoroughly understand the
-
things. Make sure you obtain the accurate
-
data.
-
So this will be your investigation
-
strategy we have when you deal with any
-
kind of a crime scene.
-
So now there are some technical tools
-
are basically used in a digital
-
forensics, so that we're going to discuss
-
in the next part.
-
Okay, so now we're going to discuss about
-
the different type of tools which is
-
used in the forensic or digital forensic
-
investigation. So one of the first tool
-
we called as a SIFT Workstation. I'm
-
sure you heard about Kali Linux. Now when
-
you install the Kali Linux, okay, in any
-
system,
-
it install with multiple tools. It is
-
like OS, right? And within that OS you can
-
see the multiple further pen testing or
-
secure testing tools. Same like SIFT is
-
like a workstation.
-
Their image is available, you can
-
download, you can mount, you can run that
-
system, and that utilities this
-
workstation is basically include the
-
multiple tools, okay.
-
So it is one of the popular one which is
-
used for a forensic investigation,
-
and
-
it also consists several open source
-
instant response tools also within that
-
workstation. And one of the important
-
feature of the SIFT
-
toolkit is that it
-
has some utilities which is used to
-
examine the raw disk,
-
okay, able to understand the multiple
-
file systems. So example, we are running a
-
system A, we are running a system B, and
-
we are running a system C.
-
So system A is running with Windows,
-
system B is running with Linux, and
-
system C running with Mac.
-
Each and every system is running with a
-
different file system, so I installed the
-
swift workstation on this system
-
which is my laptop, I'm an investigator.
-
And then I basically connect with
-
the systems and extract the data from
-
there.
-
So, or I can basically do boot my system
-
a boot this particular system with a
-
SIFT workstation as a live cd and I
-
can able to investigate these systems
-
easily. So for me
-
investigating of a different file system
-
will not be the challenge.
-
And
-
second toolkit that we using is FTK
-
which is from the company called Access
-
Data. So that toolkit, one of the
-
important tool in the toolkit is called
-
as a FTK Imager. So when we say FTK
-
Imager, we mean that we have a system A,
-
we have a system B, we have a system C. So
-
this was the system which is hacked
-
remotely.
-
Okay so I want to make a ghost copy of
-
the system, I want to make a copy of the
-
system because we cannot do the
-
investigation on the live system. So how
-
to do that? In that case, popular tool we
-
are using is FTK Imager, so with the help
-
of FTK Imager, we can able to create a
-
image of the complete system and then I
-
can basically copy that image or
-
mount that image in other system, and
-
then I will do the further investigation
-
on that system. So these are the one of
-
the popular tool we have.
-
Along with that we also have another one
-
which is called as a Digital Evidence
-
Forensic Toolkit. It is a well popular in
-
a intelligence
-
government activities, so and the reason
-
is that they have a,
-
they have some tools which having a
-
capability to open the encrypted files
-
also,
-
and able to recover the deleted data.
-
Okay so that is why it is one of the
-
popular utility we have which is
-
recommended by the different enforcement
-
agencies also. Okay,
-
but when we dealing with the different
-
type of
-
data, okay, we need to make a image of the
-
system, or we have a different type of
-
extensions of the files. So one of the
-
popular extensions we have is DD.
-
DD called as a data duplication. So it is
-
also come with a DD utility which is
-
used to copy
-
the Linux system, and then we can
-
create an image and I can dump the image,
-
I can mount the image in other system,
-
and do the investigation. So DD is
-
another
-
type of file we have. Then we have a AFF
-
file format. That is basically used in a
-
forensic investigation,
-
So it is a extensible open format for the
-
storage of disk image,
-
and it was created to be an open and
-
extensible file format to store disk
-
image and associate metadata.
-
So AFF has a goal to create a disk image
-
format that would not lock the user into
-
proprietary format that may limit how or
-
she may able to analyze that. And today
-
it is a preferred tool for your, in
-
gathering intelligence and resolving the
-
security incident. It mean if you make a
-
ghost image, if you make an image in AFF
-
format, suppose you make a copy of the
-
system in AFF format, so in that case we
-
can use this AFF utility with multiple
-
forensic tools.
-
We also have other different type of
-
image like RAW image which is basically
-
do the bit by bit copy, and the great
-
advantage of bit by bit copy, it will
-
capture the entire disk,
-
entire volume without any deletion or
-
any addition. And raw image format was
-
used by the DD also, but nowadays
-
multiple forensics application also
-
support that. It mean if we have a system
-
A, system B, and system C, when I make a
-
copy of the system and the image is raw
-
image,
-
so that raw image can be used by
-
multiple forensic tool because when we
-
need to do the investigation on the
-
system definitely we are not doing an
-
investigation the live system, so we
-
mount the image which is created from a
-
system and tool will read the image and
-
according to that do the investigation.
-
We also have other extension like dmp,
-
dump, crash, mem, vmem, and mdmp so this is
-
more like a memory dump data.
-
So sometime when we need to review the
-
memory and all that these are the
-
extensions in which we basically save a
-
file. We also have a binary dumps for the
-
memory which called as a dot bin, dat,
-
file, unallocated, rec data, or binary.
-
So this is also is very useful when we
-
need to investigate the open files and
-
everything. Sometime if you want to
-
investigate the virtual machine we have
-
extension called vmdk.
-
And when the FTK tool is creating image
-
they store the image in this particular
-
format.
-
So this is all from my side team. If you
-
find this video useful, do let me know in
-
the comment box, what is the next video
-
you want me to make on forensics? I'm
-
very happy to receive your feedbacks by
-
which I can able to improve my video, and
-
I'm sure if you're new to my channel, do
-
subscribe to my channel and click on the
-
bell icon to make sure you should not
-
miss my future videos on a similar topic.
-
And do let me know in the comment box
-
what are the top popular forensic tools
-
from your point of view which can be
-
used for a forensic investigation apart
-
from what is mentioned in the slides.
-
Thank you for watching my video.
-
Bye, take care.
