1 00:00:00,250 --> 00:00:03,290 Forensic procedures, in this lesson 2 00:00:03,290 --> 00:00:06,290 we're going to talk about the basic forensic procedures. 3 00:00:06,290 --> 00:00:09,850 And this is essentially going to be a four-step process. 4 00:00:09,850 --> 00:00:11,890 Now, the first thing you need to know about forensics 5 00:00:11,890 --> 00:00:14,850 is everything we do we use written procedures. 6 00:00:14,850 --> 00:00:15,910 These written procedures 7 00:00:15,910 --> 00:00:17,300 are going to ensure that personnel 8 00:00:17,300 --> 00:00:19,650 handle forensics properly, effectively, 9 00:00:19,650 --> 00:00:22,330 and in compliance with the required regulations. 10 00:00:22,330 --> 00:00:24,710 This way we always follow what is written down 11 00:00:24,710 --> 00:00:26,440 and we always do it the same way. 12 00:00:26,440 --> 00:00:28,320 Now, as we go through our forensic procedures, 13 00:00:28,320 --> 00:00:30,290 there are four main areas. 14 00:00:30,290 --> 00:00:34,860 We have identification, collection, analysis and reporting. 15 00:00:34,860 --> 00:00:37,400 In this lesson, we're going to talk about each one of those. 16 00:00:37,400 --> 00:00:39,430 First, we're going to have identification. 17 00:00:39,430 --> 00:00:41,280 This is going to ensure the scene is safe. 18 00:00:41,280 --> 00:00:42,730 We have made sure we secure the scene 19 00:00:42,730 --> 00:00:44,520 to prevent any evidence contamination 20 00:00:44,520 --> 00:00:47,670 and we identify the scope of the evidence to be collected. 21 00:00:47,670 --> 00:00:49,100 Now, when you think about this 22 00:00:49,100 --> 00:00:50,940 especially in the digital forensics world, 23 00:00:50,940 --> 00:00:51,910 I like to think about it 24 00:00:51,910 --> 00:00:54,080 as if you're working for the police department. 25 00:00:54,080 --> 00:00:56,620 They break down the door, they arrest the person 26 00:00:56,620 --> 00:00:57,920 and what do you need to do? 27 00:00:57,920 --> 00:00:59,110 Well, as you walk in the door, 28 00:00:59,110 --> 00:00:59,980 the first thing you need to do 29 00:00:59,980 --> 00:01:01,470 is make sure the scene is safe. 30 00:01:01,470 --> 00:01:03,100 There's not a bad guy hiding in the other room 31 00:01:03,100 --> 00:01:04,630 that's going to come out in hurt you 32 00:01:04,630 --> 00:01:06,750 and try to stop you from collecting the evidence. 33 00:01:06,750 --> 00:01:08,920 We want to make sure everything is safe there. 34 00:01:08,920 --> 00:01:10,730 Then once we know everything is safe 35 00:01:10,730 --> 00:01:11,950 we move on to the next step 36 00:01:11,950 --> 00:01:14,840 which is making sure nobody contaminates our evidence. 37 00:01:14,840 --> 00:01:17,460 We want to record the scene using video and photography 38 00:01:17,460 --> 00:01:19,680 to make sure we know exactly what was there 39 00:01:19,680 --> 00:01:21,310 before we touched anything. 40 00:01:21,310 --> 00:01:23,010 And then we want to start identifying 41 00:01:23,010 --> 00:01:25,100 the scope of the evidence to be collected. 42 00:01:25,100 --> 00:01:27,940 If I go into a store as part of this investigation, 43 00:01:27,940 --> 00:01:31,410 and they say "Hey, we're looking for this type of data." 44 00:01:31,410 --> 00:01:32,350 Well, I need to start looking at 45 00:01:32,350 --> 00:01:34,077 all the computer systems around there and say, 46 00:01:34,077 --> 00:01:36,780 "Where can this type of data be hidden?" 47 00:01:36,780 --> 00:01:38,060 Is it going to be on a tablet? 48 00:01:38,060 --> 00:01:39,200 Is it going to be on a phone? 49 00:01:39,200 --> 00:01:41,040 Is it going to be on a smart TV? 50 00:01:41,040 --> 00:01:42,600 Is it going to be on a server? 51 00:01:42,600 --> 00:01:44,270 And based on the type of data I'm looking for, 52 00:01:44,270 --> 00:01:46,180 I'm going to scope my evidence collection 53 00:01:46,180 --> 00:01:48,610 because a lot of times your warrant will tell you 54 00:01:48,610 --> 00:01:51,520 exactly how large or how small the scope you have 55 00:01:51,520 --> 00:01:52,960 and what you're allowed to collect. 56 00:01:52,960 --> 00:01:54,880 And then we're going to move into collection. 57 00:01:54,880 --> 00:01:56,080 Now, when we do collection, 58 00:01:56,080 --> 00:01:57,760 we have to ensure that we have authorization 59 00:01:57,760 --> 00:01:59,150 to collect the evidence. 60 00:01:59,150 --> 00:02:01,560 Now, this might take the form of something like a warrant. 61 00:02:01,560 --> 00:02:04,250 And then we're going to document improve the integrity 62 00:02:04,250 --> 00:02:06,390 of the evidence as it's collected. 63 00:02:06,390 --> 00:02:07,390 Now what this means is, 64 00:02:07,390 --> 00:02:10,100 as I start collecting the information from the computer, 65 00:02:10,100 --> 00:02:11,480 I'm not just going to take the hard drive 66 00:02:11,480 --> 00:02:12,540 and throw it in a bag. 67 00:02:12,540 --> 00:02:14,440 I need to actually do a bit by bit copy 68 00:02:14,440 --> 00:02:15,530 of that hard drive 69 00:02:15,530 --> 00:02:16,920 because all my analysis later on 70 00:02:16,920 --> 00:02:19,670 is going to be done on the copy, not on the original. 71 00:02:19,670 --> 00:02:21,250 Now I also need to make sure that that hard drive 72 00:02:21,250 --> 00:02:24,140 is an exact match once I make the copy of it. 73 00:02:24,140 --> 00:02:25,590 And I am going to take into evidence 74 00:02:25,590 --> 00:02:27,280 to make sure that I have the original 75 00:02:27,280 --> 00:02:28,420 so that if we ever need to go back 76 00:02:28,420 --> 00:02:29,420 to the original for analysis 77 00:02:29,420 --> 00:02:31,810 and make another copy, we could. 78 00:02:31,810 --> 00:02:33,100 We also want to make sure we prove the integrity 79 00:02:33,100 --> 00:02:35,220 to make sure I haven't changed any data on it 80 00:02:35,220 --> 00:02:37,370 and nobody else has changed anything on it. 81 00:02:37,370 --> 00:02:39,230 That's the idea here with collection. 82 00:02:39,230 --> 00:02:40,680 Then we move into analysis. 83 00:02:40,680 --> 00:02:42,100 So now that we have a copy 84 00:02:42,100 --> 00:02:44,180 we are going to create a copy of this evidence. 85 00:02:44,180 --> 00:02:45,630 And we're going to take that for analysis. 86 00:02:45,630 --> 00:02:49,240 And we use repeatable methods and tools during the analysis. 87 00:02:49,240 --> 00:02:51,860 Again, everything here is going to be written down. 88 00:02:51,860 --> 00:02:52,940 We are going to use procedures 89 00:02:52,940 --> 00:02:54,960 that tell us exactly what to do. 90 00:02:54,960 --> 00:02:56,670 This is going to say step one, 91 00:02:56,670 --> 00:02:58,380 do this, make a copy of the drive. 92 00:02:58,380 --> 00:03:00,380 Step two, create a hash of the drive 93 00:03:00,380 --> 00:03:01,720 to make sure you have integrity. 94 00:03:01,720 --> 00:03:06,000 Step three, performing analysis on the drive using XYZ tool. 95 00:03:06,000 --> 00:03:07,640 It'll tell you exactly what you need to do 96 00:03:07,640 --> 00:03:09,590 as an analyst using a checklist 97 00:03:09,590 --> 00:03:12,170 that can be repeatable and followed each and every time. 98 00:03:12,170 --> 00:03:14,460 And then we got step four, which is reporting . 99 00:03:14,460 --> 00:03:15,880 At the end of all of our analysis, 100 00:03:15,880 --> 00:03:18,100 we need to create a report of the methods 101 00:03:18,100 --> 00:03:20,320 and the tools that we used in our investigation. 102 00:03:20,320 --> 00:03:22,700 And then we also need to present detailed findings 103 00:03:22,700 --> 00:03:25,070 and conclusions based on that analysis. 104 00:03:25,070 --> 00:03:27,910 If I was looking for child pornography on this hard drive 105 00:03:27,910 --> 00:03:29,947 of the victim's computer I need to say, 106 00:03:29,947 --> 00:03:31,820 "I found it, it was located here." 107 00:03:31,820 --> 00:03:32,780 And here's how I prove it. 108 00:03:32,780 --> 00:03:35,140 All the things I did, how I found it, 109 00:03:35,140 --> 00:03:36,980 all the locations, all the files, 110 00:03:36,980 --> 00:03:39,180 screenshots of it, all that kind of stuff 111 00:03:39,180 --> 00:03:40,600 to put into the final report 112 00:03:40,600 --> 00:03:42,420 to give to the judge and into the court 113 00:03:42,420 --> 00:03:44,170 so that person can go to trial. 114 00:03:44,170 --> 00:03:46,810 Again, you may be called to go into court 115 00:03:46,810 --> 00:03:49,400 to testify based on what you have. 116 00:03:49,400 --> 00:03:51,010 And based on your report that you're going to give 117 00:03:51,010 --> 00:03:52,290 and the analysis you've done. 118 00:03:52,290 --> 00:03:53,860 Now, this is really important to realize 119 00:03:53,860 --> 00:03:56,800 because everything you do is going to come under question 120 00:03:56,800 --> 00:03:58,500 once you get on that stand. 121 00:03:58,500 --> 00:04:00,330 They're going to ask every method you've used, 122 00:04:00,330 --> 00:04:02,370 any mistakes you possibly could have made. 123 00:04:02,370 --> 00:04:03,530 They're going to try to find fault 124 00:04:03,530 --> 00:04:05,520 with everything you could have done 125 00:04:05,520 --> 00:04:08,240 because if they can find fault with anything you've done, 126 00:04:08,240 --> 00:04:10,770 your evidence and everything you found from it, 127 00:04:10,770 --> 00:04:12,170 can be thrown out of court 128 00:04:12,170 --> 00:04:13,940 and that can get their client off. 129 00:04:13,940 --> 00:04:16,540 Attorneys are paid a lot of money to help get their clients 130 00:04:16,540 --> 00:04:18,110 off of these criminal charges. 131 00:04:18,110 --> 00:04:19,870 And so if you're working in the criminal sector 132 00:04:19,870 --> 00:04:21,180 as a forensic analyst 133 00:04:21,180 --> 00:04:22,400 you need to be very careful 134 00:04:22,400 --> 00:04:25,650 to do everything exactly right by the procedures. 135 00:04:25,650 --> 00:04:28,310 This is going to bring us to the concept of a legal hold. 136 00:04:28,310 --> 00:04:30,050 Now a legal hold is a process 137 00:04:30,050 --> 00:04:31,200 that's designed to preserve 138 00:04:31,200 --> 00:04:32,830 all the relevant information 139 00:04:32,830 --> 00:04:35,790 when litigation is reasonably expected to occur. 140 00:04:35,790 --> 00:04:39,340 Now, litigation is just a fancy word for lawsuit. 141 00:04:39,340 --> 00:04:40,650 Essentially, if we think 142 00:04:40,650 --> 00:04:42,710 what we're going to be dealing with in collecting 143 00:04:42,710 --> 00:04:44,166 could end up in court one day 144 00:04:44,166 --> 00:04:46,890 we need to make sure we don't destroy any evidence. 145 00:04:46,890 --> 00:04:49,080 We need to collect it all and preserve it all. 146 00:04:49,080 --> 00:04:50,360 Now, one of the biggest challenges 147 00:04:50,360 --> 00:04:51,585 when you start dealing with this 148 00:04:51,585 --> 00:04:53,850 is that you can actually have your computer 149 00:04:53,850 --> 00:04:56,040 or server seized as evidence 150 00:04:56,040 --> 00:04:58,090 inside of some kind of criminal conspiracy. 151 00:04:58,090 --> 00:05:00,010 Let's say you ran a web hosting Company 152 00:05:00,010 --> 00:05:02,520 and somebody bought storage space on your server. 153 00:05:02,520 --> 00:05:04,640 And they put illegal files on there. 154 00:05:04,640 --> 00:05:06,560 Whatever the bad content is. 155 00:05:06,560 --> 00:05:08,900 Well, if the police want to take that evidence 156 00:05:08,900 --> 00:05:10,600 they might take your server 157 00:05:10,600 --> 00:05:13,200 that holds not just that person's stuff on it, 158 00:05:13,200 --> 00:05:15,770 but also all of your other clients on it as well. 159 00:05:15,770 --> 00:05:17,760 And that can go away for a long period of time 160 00:05:17,760 --> 00:05:18,980 because of this legal hold. 161 00:05:18,980 --> 00:05:21,300 The legal hold can actually take that computer server 162 00:05:21,300 --> 00:05:24,500 as evidence for the entire duration of that trial, 163 00:05:24,500 --> 00:05:26,860 which could be months or even years. 164 00:05:26,860 --> 00:05:28,610 So this is something you have to think about 165 00:05:28,610 --> 00:05:29,980 as an organization. 166 00:05:29,980 --> 00:05:31,770 Do you have backups for your servers? 167 00:05:31,770 --> 00:05:33,560 How quickly can you get them back online 168 00:05:33,560 --> 00:05:35,480 Ii you have some kind of a evidence collection 169 00:05:35,480 --> 00:05:36,313 that's going to happen? 170 00:05:36,313 --> 00:05:37,480 Because that is something that you need 171 00:05:37,480 --> 00:05:39,590 as part of your business continuity plan as well. 172 00:05:39,590 --> 00:05:40,900 Now, another thing I recommend 173 00:05:40,900 --> 00:05:42,086 when you're dealing with the law 174 00:05:42,086 --> 00:05:43,620 is you should always have somebody 175 00:05:43,620 --> 00:05:46,580 from your organization appointed as your liaison 176 00:05:46,580 --> 00:05:49,410 and that person should have legal knowledge and expertise 177 00:05:49,410 --> 00:05:52,710 so they can be the point of contact with law enforcement. 178 00:05:52,710 --> 00:05:54,520 So when somebody comes in from law enforcement 179 00:05:54,520 --> 00:05:55,867 and they want to start collecting evidence 180 00:05:55,867 --> 00:05:58,350 you need to have somebody who can work with them. 181 00:05:58,350 --> 00:06:00,130 This person is going to be your point of contact 182 00:06:00,130 --> 00:06:01,540 between the forensics team, 183 00:06:01,540 --> 00:06:04,320 which may be an outside company or law enforcement 184 00:06:04,320 --> 00:06:05,730 and your sister team 185 00:06:05,730 --> 00:06:08,100 which is your cyber security instant response team. 186 00:06:08,100 --> 00:06:09,930 If you're dealing with a data breach for instance 187 00:06:09,930 --> 00:06:11,990 is your company going to try to pursue legal action 188 00:06:11,990 --> 00:06:14,040 against the person who broke into your systems? 189 00:06:14,040 --> 00:06:15,690 If so, you're going to have a forensics team 190 00:06:15,690 --> 00:06:18,360 from law enforcement coming in and collecting that evidence. 191 00:06:18,360 --> 00:06:21,130 And so having this liaison who can be that single voice 192 00:06:21,130 --> 00:06:22,590 and that single point of contact 193 00:06:22,590 --> 00:06:24,610 can really make things work a lot better for you. 194 00:06:24,610 --> 00:06:25,600 Now, the last thing we need 195 00:06:25,600 --> 00:06:27,900 to talk about in this lesson is ethics. 196 00:06:27,900 --> 00:06:31,000 Forensic analysts have to follow a code of ethics, 197 00:06:31,000 --> 00:06:33,580 and there are three main points to this code of ethics 198 00:06:33,580 --> 00:06:35,210 that you really do need to follow. 199 00:06:35,210 --> 00:06:37,040 Otherwise, you're going to have a problem 200 00:06:37,040 --> 00:06:38,680 when you get on the stand. 201 00:06:38,680 --> 00:06:42,710 First, analysis must be performed without bias. 202 00:06:42,710 --> 00:06:45,400 This means any conclusions or opinions that you form 203 00:06:45,400 --> 00:06:47,013 should only be based on the direct evidence 204 00:06:47,013 --> 00:06:48,720 that you've observed. 205 00:06:48,720 --> 00:06:49,553 You shouldn't be thinking, 206 00:06:49,553 --> 00:06:52,840 "Well, I don't like this person because X, Y, Z." 207 00:06:52,840 --> 00:06:54,150 It's not based on their color, 208 00:06:54,150 --> 00:06:56,070 their creed, their nationality, 209 00:06:56,070 --> 00:06:58,210 what they look like or anything else. 210 00:06:58,210 --> 00:07:00,720 It should only be based on the evidence you find. 211 00:07:00,720 --> 00:07:03,080 In fact, it's much better for a forensic analyst 212 00:07:03,080 --> 00:07:05,520 to be completely removed from the situation. 213 00:07:05,520 --> 00:07:07,610 A lot of places that I've worked with before, 214 00:07:07,610 --> 00:07:10,350 they have one set of people who collect the information 215 00:07:10,350 --> 00:07:12,320 and another set that analyzes it. 216 00:07:12,320 --> 00:07:13,810 So all they see is the data. 217 00:07:13,810 --> 00:07:16,070 They don't know anything about the case up to that point 218 00:07:16,070 --> 00:07:18,617 and that can help eliminate some of that bias. 219 00:07:18,617 --> 00:07:20,250 The second thing 220 00:07:20,250 --> 00:07:24,030 analyst methods have to be repeatable by third parties. 221 00:07:24,030 --> 00:07:27,030 Now, what I mean is that if I take the exact same evidence 222 00:07:27,030 --> 00:07:28,840 and I give it to somebody else, 223 00:07:28,840 --> 00:07:30,490 they should get the same results 224 00:07:30,490 --> 00:07:32,610 if they use the same methods you did. 225 00:07:32,610 --> 00:07:34,820 And again, this is why it is so important 226 00:07:34,820 --> 00:07:36,830 that you document every single thing you do 227 00:07:36,830 --> 00:07:38,460 when you're doing your analysis. 228 00:07:38,460 --> 00:07:39,940 For instance, when I do my analysis 229 00:07:39,940 --> 00:07:42,750 I will write down the time, the action I took. 230 00:07:42,750 --> 00:07:44,190 I click this button. 231 00:07:44,190 --> 00:07:47,070 I ran this command, here was my results. 232 00:07:47,070 --> 00:07:48,510 And I put a screenshot in there. 233 00:07:48,510 --> 00:07:50,450 That way, anybody who comes behind me 234 00:07:50,450 --> 00:07:52,190 can see exactly what I did, 235 00:07:52,190 --> 00:07:54,030 when I did it, how I did it. 236 00:07:54,030 --> 00:07:55,320 And if they run those same commands 237 00:07:55,320 --> 00:07:56,980 they should get the same results. 238 00:07:56,980 --> 00:07:57,900 If they don't 239 00:07:57,900 --> 00:08:00,530 that could be reason to get your evidence thrown out. 240 00:08:00,530 --> 00:08:01,560 And the third thing 241 00:08:01,560 --> 00:08:04,810 is that evidence must not be changed or manipulated. 242 00:08:04,810 --> 00:08:08,700 We never want to do analysis on the actual device itself. 243 00:08:08,700 --> 00:08:11,940 Instead, we always want to do it on a copy when we can. 244 00:08:11,940 --> 00:08:13,730 So if I'm taking evidence from a hard drive 245 00:08:13,730 --> 00:08:15,740 I'm going to do a copy of that hard drive. 246 00:08:15,740 --> 00:08:17,100 I'm going to run an integrity check 247 00:08:17,100 --> 00:08:19,590 on both the drive and the source to make sure they match 248 00:08:19,590 --> 00:08:20,830 such as a hash. 249 00:08:20,830 --> 00:08:23,680 And if they do, I can then do my analysis on the copy. 250 00:08:23,680 --> 00:08:25,358 That way I don't have the possibility 251 00:08:25,358 --> 00:08:27,740 of modifying or changing the original. 252 00:08:27,740 --> 00:08:29,260 And we'll talk about a lot of other things 253 00:08:29,260 --> 00:08:31,327 of how we can make sure we don't modify the original 254 00:08:31,327 --> 00:08:33,540 as we go through this section. 255 00:08:33,540 --> 00:08:35,840 Now, here is a big warning for you. 256 00:08:35,840 --> 00:08:37,670 If you're ever going to do this professionally 257 00:08:37,670 --> 00:08:38,910 keep this in mind. 258 00:08:38,910 --> 00:08:41,830 Defense attorneys will try to use any deviation 259 00:08:41,830 --> 00:08:44,200 from your ethics or from your procedures 260 00:08:44,200 --> 00:08:46,900 as a reason to dismiss your findings and analysis. 261 00:08:46,900 --> 00:08:48,570 Remember these attorneys 262 00:08:48,570 --> 00:08:51,760 get paid big dollars to be able to get their clients off. 263 00:08:51,760 --> 00:08:52,970 That's their job. 264 00:08:52,970 --> 00:08:54,900 They're trying to get that case thrown out. 265 00:08:54,900 --> 00:08:57,600 And anytime they can get your evidence thrown out, 266 00:08:57,600 --> 00:08:59,650 that is one less thing against their client. 267 00:08:59,650 --> 00:09:01,090 And so they're going to do that. 268 00:09:01,090 --> 00:09:02,410 They are going to go after you. 269 00:09:02,410 --> 00:09:03,750 They're going to go after your credentials. 270 00:09:03,750 --> 00:09:04,920 They're going to go after your methods. 271 00:09:04,920 --> 00:09:06,305 They're going to go after your processes. 272 00:09:06,305 --> 00:09:08,800 And you're going to have to defend all of that in court 273 00:09:08,800 --> 00:09:10,630 to make sure your evidence can be admissible 274 00:09:10,630 --> 00:09:12,460 and can stand up in court. 275 00:09:12,460 --> 00:09:13,660 So at this point 276 00:09:13,660 --> 00:09:16,900 we've gone through a lot of our process of acquiring things. 277 00:09:16,900 --> 00:09:18,110 We've collected memory, 278 00:09:18,110 --> 00:09:20,920 we've collected the disc image and we've hashed it. 279 00:09:20,920 --> 00:09:23,660 But now we start doing all of our analysis. 280 00:09:23,660 --> 00:09:25,690 Now a large portion of our investigation 281 00:09:25,690 --> 00:09:28,200 is going to be trying to find that needle haystack. 282 00:09:28,200 --> 00:09:29,370 And we're going to start figuring out 283 00:09:29,370 --> 00:09:32,900 who touched what files at what time, for what purpose? 284 00:09:32,900 --> 00:09:35,070 Now, as we start gathering all of that information 285 00:09:35,070 --> 00:09:37,420 there should be a good way to present that information 286 00:09:37,420 --> 00:09:40,010 as part of our analysis and our report. 287 00:09:40,010 --> 00:09:41,300 How do you want to do that? 288 00:09:41,300 --> 00:09:44,110 Well, one of the best ways is using a timeline. 289 00:09:44,110 --> 00:09:45,400 Now, a timeline is a tool 290 00:09:45,400 --> 00:09:47,770 that will show the sequence of file system events 291 00:09:47,770 --> 00:09:50,530 within a story's image in a graphical format. 292 00:09:50,530 --> 00:09:52,210 So I can give you a lot of different ways 293 00:09:52,210 --> 00:09:54,260 to say here's all the different files I found, 294 00:09:54,260 --> 00:09:56,420 when they were touched and who touched them. 295 00:09:56,420 --> 00:09:57,690 I might put that in a spreadsheet. 296 00:09:57,690 --> 00:09:59,310 I might put it in a word document. 297 00:09:59,310 --> 00:10:02,100 But one of the best ways is to graphically depict it. 298 00:10:02,100 --> 00:10:04,050 And that's what a timeline allows you to do. 299 00:10:04,050 --> 00:10:06,580 Now, some of your tools will help you do this automatically. 300 00:10:06,580 --> 00:10:09,030 For instance, here's an image from NCASE. 301 00:10:09,030 --> 00:10:10,580 Notice on the left side of the screen, 302 00:10:10,580 --> 00:10:13,270 we can see the file for our target disk 303 00:10:13,270 --> 00:10:15,210 that we've been doing our analysis on. 304 00:10:15,210 --> 00:10:17,460 On the right side, you'll see a timeline view 305 00:10:17,460 --> 00:10:20,650 of all the files that were touched at a particular time. 306 00:10:20,650 --> 00:10:22,350 For instance you can see here 307 00:10:22,350 --> 00:10:25,350 every minute within this hour of this day. 308 00:10:25,350 --> 00:10:27,820 And so we can see here highlighted in red, 309 00:10:27,820 --> 00:10:29,370 that at the 19th minute, 310 00:10:29,370 --> 00:10:31,500 all of those files were being touched. 311 00:10:31,500 --> 00:10:33,890 Now, if you're on a server, this can be a lot of files. 312 00:10:33,890 --> 00:10:35,437 And so it's really going to be important to say, 313 00:10:35,437 --> 00:10:38,360 "We know bad thing X happened at this time 314 00:10:38,360 --> 00:10:40,530 based on our SIEM data or our log data." 315 00:10:40,530 --> 00:10:41,710 And once we go into that, 316 00:10:41,710 --> 00:10:42,900 we can then correlate that 317 00:10:42,900 --> 00:10:44,640 with the analysis that we're looking at, 318 00:10:44,640 --> 00:10:47,170 especially if we're trying to track down an intruder. 319 00:10:47,170 --> 00:10:48,380 Now in the forensic world, 320 00:10:48,380 --> 00:10:49,370 this is important as well, 321 00:10:49,370 --> 00:10:51,140 because if I'm trying to put a bad guy away 322 00:10:51,140 --> 00:10:52,460 for something he did, 323 00:10:52,460 --> 00:10:53,810 I need to prove he did it, 324 00:10:53,810 --> 00:10:55,910 that he had means, motive, intent. 325 00:10:55,910 --> 00:10:57,510 And one of the things that can help me is 326 00:10:57,510 --> 00:11:00,020 if I know he was on this computer at this time 327 00:11:00,020 --> 00:11:02,810 and this activity happened during that timeframe 328 00:11:02,810 --> 00:11:04,010 that's going to be able to help me 329 00:11:04,010 --> 00:11:07,200 create that evidence I need to punish that bad guy. 330 00:11:07,200 --> 00:11:09,090 So once you start constructing your timeline 331 00:11:09,090 --> 00:11:10,170 in this graphical format, 332 00:11:10,170 --> 00:11:12,940 you'll also back it up with a written report. 333 00:11:12,940 --> 00:11:14,910 Now, a lot of things have to go into this report. 334 00:11:14,910 --> 00:11:16,230 And one of the things you're trying to aim 335 00:11:16,230 --> 00:11:19,010 for as you're constructing this timeline and your report 336 00:11:19,010 --> 00:11:21,060 is to answer a lot of different questions. 337 00:11:21,060 --> 00:11:22,800 For instance, you might want to answer, 338 00:11:22,800 --> 00:11:24,910 how was access to the system obtained? 339 00:11:24,910 --> 00:11:26,750 Was it remotely, or was it locally? 340 00:11:26,750 --> 00:11:29,260 Did they get somebody's password or did they steal it? 341 00:11:29,260 --> 00:11:31,540 Were they able to break in using some kind of an exploit? 342 00:11:31,540 --> 00:11:33,570 All of those are things you want to figure out. 343 00:11:33,570 --> 00:11:35,460 What kind of tools may have been installed? 344 00:11:35,460 --> 00:11:36,500 If he was a bad hacker 345 00:11:36,500 --> 00:11:38,270 who hacked into your system over the internet, 346 00:11:38,270 --> 00:11:39,600 did they install a Trojan? 347 00:11:39,600 --> 00:11:41,900 Did they install some kind of remote access tool? 348 00:11:41,900 --> 00:11:43,610 All those things are things you want to identify 349 00:11:43,610 --> 00:11:45,390 as part of the analysis. 350 00:11:45,390 --> 00:11:46,310 Then you also want to think about 351 00:11:46,310 --> 00:11:47,990 what changes to the files were made? 352 00:11:47,990 --> 00:11:49,880 And again, your analysis and your timeline 353 00:11:49,880 --> 00:11:50,910 is going to help you here 354 00:11:50,910 --> 00:11:51,840 because you be able to see 355 00:11:51,840 --> 00:11:54,880 which files were touched at which particular time. 356 00:11:54,880 --> 00:11:57,540 You also want to figure out what data has been retrieved. 357 00:11:57,540 --> 00:11:59,750 Were are you the victim of a data exfiltration? 358 00:11:59,750 --> 00:12:02,640 If so, you should see reading happening of those files 359 00:12:02,640 --> 00:12:04,610 and then transmission over the network. 360 00:12:04,610 --> 00:12:06,130 And again, all of that can be documented 361 00:12:06,130 --> 00:12:07,660 as part of your timeline. 362 00:12:07,660 --> 00:12:10,700 And finally was the data actually exfiltrated? 363 00:12:10,700 --> 00:12:12,860 Just because somebody access the data, 364 00:12:12,860 --> 00:12:14,290 doesn't mean they took it with them 365 00:12:14,290 --> 00:12:15,370 when they left the network. 366 00:12:15,370 --> 00:12:17,440 And so you need be able to prove that as well. 367 00:12:17,440 --> 00:12:18,820 All of these are things you're going to do 368 00:12:18,820 --> 00:12:20,330 as part of your analysis 369 00:12:20,330 --> 00:12:22,850 as you're going through your timeline generation. 370 00:12:22,850 --> 00:12:25,200 Now, many forensic tools can generate a timeline 371 00:12:25,200 --> 00:12:28,170 based on the evidence you've been scanning and analyzing. 372 00:12:28,170 --> 00:12:29,880 This can be done in lots of different tools. 373 00:12:29,880 --> 00:12:32,670 For instance, I showed you the one for NCASE earlier. 374 00:12:32,670 --> 00:12:34,940 You also can do this using the open source tool 375 00:12:34,940 --> 00:12:38,270 the Sleuth Kit and its companion tool autopsy. 376 00:12:38,270 --> 00:12:39,103 Here on the screen 377 00:12:39,103 --> 00:12:42,110 you can see the timeline editor within autopsy. 378 00:12:42,110 --> 00:12:43,820 Notice, it looks a little different than the way 379 00:12:43,820 --> 00:12:45,263 we saw it inside of NCASE. 380 00:12:46,320 --> 00:12:48,880 For this one, we can show what time unit we want. 381 00:12:48,880 --> 00:12:51,790 Do we want to look at it as years, days or minutes? 382 00:12:51,790 --> 00:12:54,250 How far out, or how far in do we want to zoom? 383 00:12:54,250 --> 00:12:55,390 We can look at the event type. 384 00:12:55,390 --> 00:12:57,370 Is it a base type or a subtype? 385 00:12:57,370 --> 00:12:58,470 We can look at the description. 386 00:12:58,470 --> 00:13:00,460 Is going to be short or long? 387 00:13:00,460 --> 00:13:01,690 We can apply different filters 388 00:13:01,690 --> 00:13:02,940 to only show a certain events. 389 00:13:02,940 --> 00:13:04,443 For instance, show me all the files 390 00:13:04,443 --> 00:13:06,630 that were PNG files that somebody had touched 391 00:13:06,630 --> 00:13:08,090 which are graphic files. 392 00:13:08,090 --> 00:13:10,370 I can then see a table view or a thumbnail view 393 00:13:10,370 --> 00:13:11,730 of all the files that were touched there 394 00:13:11,730 --> 00:13:12,930 in the bottom left. 395 00:13:12,930 --> 00:13:13,763 On the right side, 396 00:13:13,763 --> 00:13:15,790 I can see some data associated with the different files 397 00:13:15,790 --> 00:13:16,920 that are being highlighted. 398 00:13:16,920 --> 00:13:18,130 And up on the top right, 399 00:13:18,130 --> 00:13:20,980 you can also see the counts, the details or list view 400 00:13:20,980 --> 00:13:22,970 of all the things that have been touched. 401 00:13:22,970 --> 00:13:24,610 Again, you can start playing with this tool 402 00:13:24,610 --> 00:13:26,190 on your own because it is open source. 403 00:13:26,190 --> 00:13:27,800 So you can feel free to download it, 404 00:13:27,800 --> 00:13:30,060 load it up and try it out yourself. 405 00:13:30,060 --> 00:13:31,850 Now, one of the questions I often get is, 406 00:13:31,850 --> 00:13:33,250 what if your tool doesn't support 407 00:13:33,250 --> 00:13:34,690 creating your own timeline? 408 00:13:34,690 --> 00:13:37,690 Well, if that happens, you can create a sequence of events 409 00:13:37,690 --> 00:13:40,170 within a spreadsheet to serve as your timeline. 410 00:13:40,170 --> 00:13:41,950 Now, because this is a manual process, 411 00:13:41,950 --> 00:13:43,150 it is more time intensive 412 00:13:43,150 --> 00:13:44,800 and it takes more work on your part, 413 00:13:44,800 --> 00:13:47,200 but it is still helpful to have some sort of a timeline 414 00:13:47,200 --> 00:13:48,600 included in your report 415 00:13:48,600 --> 00:13:50,850 so people can see exactly what happened 416 00:13:50,850 --> 00:13:52,253 when and who did it.