1
00:00:00,630 --> 00:00:01,840
<v ->During an incident response,</v>

2
00:00:01,840 --> 00:00:04,370
we often need to collect evidence of that cyber attack

3
00:00:04,370 --> 00:00:05,960
for further analysis.

4
00:00:05,960 --> 00:00:08,150
For example, if your main server has been infected

5
00:00:08,150 --> 00:00:10,370
with some kind of malware as part of an attack,

6
00:00:10,370 --> 00:00:11,770
you'd want to get that cleared up

7
00:00:11,770 --> 00:00:14,470
and get that server back online as quickly as possible

8
00:00:14,470 --> 00:00:16,840
to minimize the disruption to your operations.

9
00:00:16,840 --> 00:00:20,240
But if you do that, you may erase the evidence of the attack

10
00:00:20,240 --> 00:00:23,000
and that would make it impossible to figure out who did it.

11
00:00:23,000 --> 00:00:24,370
Now to overcome this challenge,

12
00:00:24,370 --> 00:00:26,820
we often use digital forensic collection techniques

13
00:00:26,820 --> 00:00:29,590
to make forensic images of the data on those servers

14
00:00:29,590 --> 00:00:31,990
and we use that as evidence for later analysis.

15
00:00:31,990 --> 00:00:34,240
By doing that, it allows your incident response team

16
00:00:34,240 --> 00:00:37,180
to help get your server back online as quickly as possible

17
00:00:37,180 --> 00:00:40,770
and resume operations, but also maintain that evidence.

18
00:00:40,770 --> 00:00:43,200
Now, your incident response team may need that evidence

19
00:00:43,200 --> 00:00:45,030
because they may be working with law enforcement.

20
00:00:45,030 --> 00:00:46,080
And if you're doing that,

21
00:00:46,080 --> 00:00:48,110
you're probably trying to seek criminal prosecution

22
00:00:48,110 --> 00:00:50,440
for the attacker who broke into your systems.

23
00:00:50,440 --> 00:00:51,940
Now, as part of your data collection

24
00:00:51,940 --> 00:00:53,360
and evidence collection efforts,

25
00:00:53,360 --> 00:00:55,080
you're going to do a lot of different things.

26
00:00:55,080 --> 00:00:56,410
For example, you're going to capture

27
00:00:56,410 --> 00:00:58,030
and hash the system images.

28
00:00:58,030 --> 00:01:00,480
This means you're going to use a tool like FTK Imager

29
00:01:00,480 --> 00:01:03,220
to make an exact copy of that server's hard drive

30
00:01:03,220 --> 00:01:05,310
and then hash it to make sure it doesn't change

31
00:01:05,310 --> 00:01:06,900
while you're analyzing it.

32
00:01:06,900 --> 00:01:09,120
Then you're going to analyze the data you collected

33
00:01:09,120 --> 00:01:10,440
using software tools.

34
00:01:10,440 --> 00:01:11,540
You're going to use forensic tools,

35
00:01:11,540 --> 00:01:15,250
things like FTK, the Forensic Toolkit, or EnCase.

36
00:01:15,250 --> 00:01:16,580
Then you're going to have to capture

37
00:01:16,580 --> 00:01:18,190
screenshots of the machine.

38
00:01:18,190 --> 00:01:19,380
What was the machine looking like

39
00:01:19,380 --> 00:01:20,890
when you arrived on the scene?

40
00:01:20,890 --> 00:01:22,330
You want to capture pictures of that

41
00:01:22,330 --> 00:01:24,020
so you know exactly what it looked like.

42
00:01:24,020 --> 00:01:26,320
You might go back and look at your network traffic logs

43
00:01:26,320 --> 00:01:28,030
and captures and go and review all of that

44
00:01:28,030 --> 00:01:29,870
and see how they moved throughout the network

45
00:01:29,870 --> 00:01:31,800
as you're trying to trace back the attack.

46
00:01:31,800 --> 00:01:33,980
If you think somebody was physically on your property,

47
00:01:33,980 --> 00:01:35,110
you may want to capture video

48
00:01:35,110 --> 00:01:37,140
from the closed circuit TV system.

49
00:01:37,140 --> 00:01:39,000
As you're collecting all this data and evidence,

50
00:01:39,000 --> 00:01:41,210
you want to consider the order of volatility,

51
00:01:41,210 --> 00:01:45,130
which means which order do things get modified by quickest.

52
00:01:45,130 --> 00:01:46,570
The quickest thing that gets modified

53
00:01:46,570 --> 00:01:48,720
is the cache inside the processor,

54
00:01:48,720 --> 00:01:51,030
then the memory, then the swap files,

55
00:01:51,030 --> 00:01:52,290
then the hard drives, right?

56
00:01:52,290 --> 00:01:55,040
And you think about which one is going to get changed first.

57
00:01:55,040 --> 00:01:55,873
When you do that,

58
00:01:55,873 --> 00:01:58,160
you have to collect things based on that order as well.

59
00:01:58,160 --> 00:02:00,710
And anything on the victim machine can be modified

60
00:02:00,710 --> 00:02:02,590
if there's a bad guy on that machine, right?

61
00:02:02,590 --> 00:02:03,710
And so we want to collect the evidence

62
00:02:03,710 --> 00:02:05,180
as quickly as possible.

63
00:02:05,180 --> 00:02:06,390
Then we want to take statements

64
00:02:06,390 --> 00:02:07,860
from witnesses and administrators.

65
00:02:07,860 --> 00:02:08,750
What did they see?

66
00:02:08,750 --> 00:02:10,590
What made them think there was an incident?

67
00:02:10,590 --> 00:02:11,537
Maybe there was somebody who said,

68
00:02:11,537 --> 00:02:12,970
"Hey, my computer all of a sudden

69
00:02:12,970 --> 00:02:14,930
the mouse started jumping all over the screen."

70
00:02:14,930 --> 00:02:16,840
That's something you need to collect the information from

71
00:02:16,840 --> 00:02:18,690
and figure out why it did that.

72
00:02:18,690 --> 00:02:21,020
Then we want to review our licensing and documentation

73
00:02:21,020 --> 00:02:23,050
and figure out do we have the proper license

74
00:02:23,050 --> 00:02:24,260
for all of our systems?

75
00:02:24,260 --> 00:02:25,700
And do we understand how they work?

76
00:02:25,700 --> 00:02:27,550
And are they working the way they were designed

77
00:02:27,550 --> 00:02:28,980
based on the documentation?

78
00:02:28,980 --> 00:02:29,960
And then of course,

79
00:02:29,960 --> 00:02:32,110
we're going to track our man hours and our expenses,

80
00:02:32,110 --> 00:02:33,970
because at the end of this incident response,

81
00:02:33,970 --> 00:02:36,690
someone's going to say, "How much did it cost us?"

82
00:02:36,690 --> 00:02:39,030
If you look at most data breaches in the US,

83
00:02:39,030 --> 00:02:41,990
large companies are suffering millions and millions

84
00:02:41,990 --> 00:02:45,210
of dollars of losses in the cost of these data breaches,

85
00:02:45,210 --> 00:02:46,850
both in the response efforts to it,

86
00:02:46,850 --> 00:02:49,440
as well as the value of the data that's lost.

87
00:02:49,440 --> 00:02:50,690
Now, in the next lesson,

88
00:02:50,690 --> 00:02:52,530
I'm going to show you how a forensic disk image

89
00:02:52,530 --> 00:02:54,900
is actually created during an incident response.

90
00:02:54,900 --> 00:02:56,270
For the Security+ exam,

91
00:02:56,270 --> 00:02:58,850
no one is going to ask you to conduct this operation,

92
00:02:58,850 --> 00:03:01,360
but it's going to give you a taste of digital forensics

93
00:03:01,360 --> 00:03:02,470
and see if the idea of being

94
00:03:02,470 --> 00:03:04,910
a digital forensics examiner interests you.

95
00:03:04,910 --> 00:03:06,670
If it does, you may want to download

96
00:03:06,670 --> 00:03:08,990
and play with some forensic tools like Forensic Toolkit

97
00:03:08,990 --> 00:03:11,630
that I'm going to use in the next lesson or EnCase.

98
00:03:11,630 --> 00:03:13,070
Data acquisition.

99
00:03:13,070 --> 00:03:16,830
We're going to talk about how you start acquiring evidence.

100
00:03:16,830 --> 00:03:18,860
This involves data acquisition,

101
00:03:18,860 --> 00:03:20,740
which is the method and tools used to create

102
00:03:20,740 --> 00:03:24,190
a forensically sound copy of the data from a source device,

103
00:03:24,190 --> 00:03:27,020
such as system memory or a hard disk.

104
00:03:27,020 --> 00:03:28,560
Now, when you deal with acquisition,

105
00:03:28,560 --> 00:03:30,450
the first question you have to ask is,

106
00:03:30,450 --> 00:03:34,120
do I have the right to search or seize this thing legally?

107
00:03:34,120 --> 00:03:36,970
This is an important question because in your organization,

108
00:03:36,970 --> 00:03:39,570
not all the devices are owned by the company.

109
00:03:39,570 --> 00:03:40,770
If it's owned by the company,

110
00:03:40,770 --> 00:03:43,020
yeah, you have rights to go ahead and collect on it

111
00:03:43,020 --> 00:03:45,540
because you work for the company and they want you to.

112
00:03:45,540 --> 00:03:48,010
But what if you allow bring your own device?

113
00:03:48,010 --> 00:03:50,440
If you allow bring your own device in your organization,

114
00:03:50,440 --> 00:03:53,280
these policies can complicate data acquisition

115
00:03:53,280 --> 00:03:55,170
because you may not legally be able to search

116
00:03:55,170 --> 00:03:57,690
or seize that device because you don't own it.

117
00:03:57,690 --> 00:03:58,970
The employee does.

118
00:03:58,970 --> 00:04:00,180
And so you have to make sure

119
00:04:00,180 --> 00:04:01,690
that any evidence you're gathering,

120
00:04:01,690 --> 00:04:03,450
you have permission to gather.

121
00:04:03,450 --> 00:04:06,330
Otherwise, that search could be inadmissible.

122
00:04:06,330 --> 00:04:09,210
Another thing that makes data acquisition very complicated

123
00:04:09,210 --> 00:04:11,270
is that when you get to a crime scene,

124
00:04:11,270 --> 00:04:13,120
you're not just dealing with the physical world.

125
00:04:13,120 --> 00:04:14,800
You're dealing with the digital world.

126
00:04:14,800 --> 00:04:16,420
And so when I come into a room

127
00:04:16,420 --> 00:04:19,420
and I see that the lights are on and a computer is on,

128
00:04:19,420 --> 00:04:21,730
how am I going to collect the data off that computer?

129
00:04:21,730 --> 00:04:22,870
Am I going to shut it down?

130
00:04:22,870 --> 00:04:23,930
Am I going to power it off?

131
00:04:23,930 --> 00:04:26,000
Am I going to collect it when it's powered on?

132
00:04:26,000 --> 00:04:27,500
All of these are valid options

133
00:04:27,500 --> 00:04:29,850
and each one has drawbacks and benefits

134
00:04:29,850 --> 00:04:31,440
depending on what you're trying to collect.

135
00:04:31,440 --> 00:04:33,430
But for now, I just want you to keep in mind the fact

136
00:04:33,430 --> 00:04:35,560
that when you're dealing with the digital crime scene,

137
00:04:35,560 --> 00:04:37,420
as opposed to just a physical one,

138
00:04:37,420 --> 00:04:39,590
there is some evidence that could be lost

139
00:04:39,590 --> 00:04:41,690
when you turn off a computer or shut it down.

140
00:04:41,690 --> 00:04:43,900
And so you need to make sure you understand

141
00:04:43,900 --> 00:04:44,733
what you're going to do

142
00:04:44,733 --> 00:04:46,960
and the procedures you're going to deal with.

143
00:04:46,960 --> 00:04:48,130
Now, this brings us to the idea

144
00:04:48,130 --> 00:04:50,160
that some of this data can only be collected

145
00:04:50,160 --> 00:04:51,360
when the system is on.

146
00:04:51,360 --> 00:04:53,670
And some of this data can only be collected

147
00:04:53,670 --> 00:04:57,660
once a system is shut down or you suddenly remove the power.

148
00:04:57,660 --> 00:04:59,290
Now, an analyst always has to think

149
00:04:59,290 --> 00:05:00,680
about the order of volatility

150
00:05:00,680 --> 00:05:02,190
when they collect their evidence.

151
00:05:02,190 --> 00:05:05,980
First, we always want to collect anything that is short term,

152
00:05:05,980 --> 00:05:07,690
anything that is highly volatile.

153
00:05:07,690 --> 00:05:08,670
So if you start thinking about things

154
00:05:08,670 --> 00:05:11,320
like CPU registers and cache memory,

155
00:05:11,320 --> 00:05:13,290
that is very small amounts of memory

156
00:05:13,290 --> 00:05:14,520
inside those processors

157
00:05:14,520 --> 00:05:16,760
and so it's getting changed very frequently

158
00:05:16,760 --> 00:05:19,160
so you want to be able to collect that as soon as possible.

159
00:05:19,160 --> 00:05:21,400
Then we move on to the other volatile memory,

160
00:05:21,400 --> 00:05:24,320
which is things like system memory, routing tables,

161
00:05:24,320 --> 00:05:27,600
AARP caches, process tables, temporary swap files,

162
00:05:27,600 --> 00:05:28,990
and things like that.

163
00:05:28,990 --> 00:05:30,700
All of those are things that are volatile

164
00:05:30,700 --> 00:05:32,330
and are changing quite rapidly,

165
00:05:32,330 --> 00:05:36,110
but not nearly as quickly as a CPU register or cache memory.

166
00:05:36,110 --> 00:05:37,370
Then we move on to the data

167
00:05:37,370 --> 00:05:39,430
that's on persistent mass storage.

168
00:05:39,430 --> 00:05:41,660
Now in the old days, we would just say the hard drive.

169
00:05:41,660 --> 00:05:43,380
But nowadays, we just say mass storage

170
00:05:43,380 --> 00:05:45,230
because this includes our hard drives,

171
00:05:45,230 --> 00:05:47,570
our solid state drives, and our flash drives.

172
00:05:47,570 --> 00:05:49,420
All of these are persistent mass storage

173
00:05:49,420 --> 00:05:50,960
because they will retain the information

174
00:05:50,960 --> 00:05:53,340
when you take away power, unlike memory,

175
00:05:53,340 --> 00:05:55,330
but it does still change quite often

176
00:05:55,330 --> 00:05:56,720
as long as the computer is on

177
00:05:56,720 --> 00:05:59,450
and people are writing or reading to that disk.

178
00:05:59,450 --> 00:06:00,970
Then we're going to go ahead and collect the things

179
00:06:00,970 --> 00:06:01,990
that are remotely logged,

180
00:06:01,990 --> 00:06:05,230
things like our SIEM and monitoring data.

181
00:06:05,230 --> 00:06:07,120
This is important because while it is not

182
00:06:07,120 --> 00:06:08,830
on the system you're analyzing,

183
00:06:08,830 --> 00:06:10,900
it was already remotely logged somewhere else.

184
00:06:10,900 --> 00:06:12,180
That other place somewhere else

185
00:06:12,180 --> 00:06:14,950
is still being read and written to over and over again

186
00:06:14,950 --> 00:06:17,300
by other systems and so it could modify some data

187
00:06:17,300 --> 00:06:19,100
so we want to collect that as well.

188
00:06:19,100 --> 00:06:21,390
After that, we want to get anything that's physical.

189
00:06:21,390 --> 00:06:22,960
This is the physical configuration

190
00:06:22,960 --> 00:06:25,320
and network topology and things of that nature.

191
00:06:25,320 --> 00:06:26,600
So if I go into the network

192
00:06:26,600 --> 00:06:28,557
and I start looking at the way it's wired and I say,

193
00:06:28,557 --> 00:06:31,380
"Okay, this computer was talking to this switch,

194
00:06:31,380 --> 00:06:32,760
which talks to this router,"

195
00:06:32,760 --> 00:06:34,170
and I can start mapping that out

196
00:06:34,170 --> 00:06:36,170
and collecting that information.

197
00:06:36,170 --> 00:06:38,850
After that, we're going to collect archival media.

198
00:06:38,850 --> 00:06:39,930
Now, what is that?

199
00:06:39,930 --> 00:06:42,860
It's things like backup tapes and offsite storage,

200
00:06:42,860 --> 00:06:44,360
things that are written to once

201
00:06:44,360 --> 00:06:45,810
and then they aren't touched again.

202
00:06:45,810 --> 00:06:49,470
For instance, you might write something to a CDR or DVR.

203
00:06:49,470 --> 00:06:51,040
Once it's written to that disk,

204
00:06:51,040 --> 00:06:52,970
it's going to maintain that data on it

205
00:06:52,970 --> 00:06:54,320
until you destroy the disk.

206
00:06:54,320 --> 00:06:56,290
And so it is our lowest priority of collection,

207
00:06:56,290 --> 00:06:58,430
but still something we want to collect at the end of the day.

208
00:06:58,430 --> 00:07:00,220
Now, one piece of warning that I want to give you

209
00:07:00,220 --> 00:07:01,760
is something that a lot of junior analysts

210
00:07:01,760 --> 00:07:03,410
will neglect to think about.

211
00:07:03,410 --> 00:07:04,990
When you're dealing with the Windows Registry,

212
00:07:04,990 --> 00:07:06,950
a lot of people think about the Windows Registry

213
00:07:06,950 --> 00:07:08,240
as being on the hard disk.

214
00:07:08,240 --> 00:07:10,030
And while most of the Windows Registry

215
00:07:10,030 --> 00:07:11,360
is stored on the hard disk,

216
00:07:11,360 --> 00:07:14,950
there are some key areas like the HKLM\Hardware hive

217
00:07:14,950 --> 00:07:16,860
that only store themselves in memory.

218
00:07:16,860 --> 00:07:19,210
So you want to analyze that registry part

219
00:07:19,210 --> 00:07:21,010
using a memory dump instead.

220
00:07:21,010 --> 00:07:22,580
When I analyze the registry,

221
00:07:22,580 --> 00:07:24,730
I usually do it via memory dump first,

222
00:07:24,730 --> 00:07:25,780
and then I can go back

223
00:07:25,780 --> 00:07:27,800
and do it off the hard drive afterwards.

224
00:07:27,800 --> 00:07:29,500
That way, anything that was missed in memory

225
00:07:29,500 --> 00:07:30,730
might get caught by the hard drive

226
00:07:30,730 --> 00:07:32,150
and I could see both things.

227
00:07:32,150 --> 00:07:32,990
When you're dealing with things

228
00:07:32,990 --> 00:07:34,380
like the slash hardware hive,

229
00:07:34,380 --> 00:07:36,180
it's really important to capture that

230
00:07:36,180 --> 00:07:38,530
because that is going to record every single disk

231
00:07:38,530 --> 00:07:40,920
that has been connected or taken out of that computer.

232
00:07:40,920 --> 00:07:42,620
If I used a thumb drive in that computer,

233
00:07:42,620 --> 00:07:44,960
it's going to be logged in that hardware hive.

234
00:07:44,960 --> 00:07:46,380
So that would tell me as an analyst

235
00:07:46,380 --> 00:07:48,250
that I need to start looking for that thumb drive

236
00:07:48,250 --> 00:07:50,720
or that flash drive so I can find the data

237
00:07:50,720 --> 00:07:52,850
that was written off from this computer.

238
00:07:52,850 --> 00:07:53,930
And so that's one of the reasons

239
00:07:53,930 --> 00:07:56,080
why that's really important to think about.