0:00:00.080,0:00:02.199 Hello everyone, and welcome to today's 0:00:02.199,0:00:05.720 session digital forensics, best practices 0:00:05.720,0:00:08.519 from data acquisition to analysis. I'm 0:00:08.519,0:00:10.519 Shilpago Swami and I'll be your host 0:00:10.519,0:00:13.440 for the day. Before we get 0:00:13.440,0:00:16.000 started, we would like to go over a few 0:00:16.000,0:00:18.039 house rules for our attendees. The 0:00:18.039,0:00:20.439 session will be in listen only mode and 0:00:20.439,0:00:23.439 will last for an hour, out of which the 0:00:23.439,0:00:26.160 last 15 minutes will be dedicated to Q&A. 0:00:26.160,0:00:28.039 If you have any questions during the 0:00:28.039,0:00:30.519 webinar to our organizers or our 0:00:30.519,0:00:34.200 speakers, use the Q&A window also if you 0:00:34.200,0:00:36.440 face any audio, video challenges, please 0:00:36.440,0:00:38.000 check your internet connections or you 0:00:38.000,0:00:40.879 may log out and log in again. An 0:00:40.879,0:00:43.640 important announcement for our audiences, 0:00:43.640,0:00:46.039 we have initiated CPE credit 0:00:46.039,0:00:48.600 certificates for our participants, and to 0:00:48.600,0:00:51.480 qualify for one attendees are required 0:00:51.480,0:00:54.440 to attend the entire webinar and then 0:00:54.440,0:00:57.600 send an email to cyber talks at e 0:00:57.600,0:01:00.879 council.org, after which our team will 0:01:00.879,0:01:04.159 issue the CPE certificate. Also, we would 0:01:04.159,0:01:06.320 like to announce our audiences about the 0:01:06.320,0:01:08.759 special handouts take the screenshot of 0:01:08.759,0:01:11.400 the running webinar, and post in your 0:01:11.400,0:01:14.640 social media LinkedIn or Twitter tagging 0:01:14.640,0:01:18.439 EC counil and #cybertalks, we will 0:01:18.439,0:01:21.159 share free handouts to first 15 0:01:21.159,0:01:23.880 audiences as a commitment to closing the 0:01:23.880,0:01:26.880 cyber security Workforce Gap by creating 0:01:26.880,0:01:30.360 multi-domain cyber technicians e-Council 0:01:30.360,0:01:34.720 pledges, $3.5 million dollar towards, CCT 0:01:34.720,0:01:37.079 education and certification scholarship 0:01:37.079,0:01:40.159 to certify approximately 10,000 cyber 0:01:40.159,0:01:42.880 professionals ready to contribute to the 0:01:42.880,0:01:44.840 industry. Did you know that you can be 0:01:44.840,0:01:46.439 part of the lucrative cyber security 0:01:46.439,0:01:49.640 industry, even top companies like Google, 0:01:49.640,0:01:53.920 Microsoft, Amazon, IBM, Facebook, and Dell 0:01:53.920,0:01:56.240 all hire cyber security professionals, 0:01:56.240,0:01:58.520 the cyber security industry has a 0% 0:01:58.520,0:02:00.439 unemployment rate. The, the average salary 0:02:00.439,0:02:02.320 for an entry-level cyber security job is 0:02:02.320,0:02:05.240 about $100,000 per year in the United 0:02:05.240,0:02:07.280 States. Furthermore, you don't need to 0:02:07.280,0:02:09.679 know coding and learn from your home and 0:02:09.679,0:02:11.280 you get a scholarship to Kickstart your 0:02:11.280,0:02:14.920 career apply. Now, EC council is pledging 0:02:14.920,0:02:18.599 a 3.5 million CCT scholarship for cyber 0:02:18.599,0:02:20.920 security career starters, scan the QR 0:02:20.920,0:02:22.319 code on the screen to apply for the 0:02:22.319,0:02:25.800 scholarship. Fill out the 0:02:28.760,0:02:31.519 form. 0:02:31.519,0:02:33.800 Now about our 0:02:33.800,0:02:38.040 speaker Dr. Lewis. Dr. Lewis Noguerol is the 0:02:38.040,0:02:40.360 information system security officer for 0:02:40.360,0:02:43.599 the US Department of Commerce, no OAA, 0:02:43.599,0:02:45.440 where he oversees a cyber security 0:02:45.440,0:02:47.080 operation for six states in the 0:02:47.080,0:02:49.920 Southeast region. Dr. Lewis is also the 0:02:49.920,0:02:51.920 president, and CEO of the advanced 0:02:51.920,0:02:54.440 division of informatics and 0:02:54.440,0:02:57.920 Technology Inc. A company that focuses on 0:02:57.920,0:03:01.040 data recovery digital for forensics and 0:03:01.040,0:03:03.480 penetration. He is a world renowned 0:03:03.480,0:03:05.519 expert in data recovery digital 0:03:05.519,0:03:08.239 forensics and penetration testing. He 0:03:08.239,0:03:10.879 holds multiple globally recognized 0:03:10.879,0:03:12.440 information technology and cyber 0:03:12.440,0:03:15.080 security certifications and accredition, 0:03:15.080,0:03:17.120 and is the recipient of multiple awards 0:03:17.120,0:03:19.480 in technology cyber security and 0:03:19.480,0:03:22.640 mathematics. He currently serves prono as 0:03:22.640,0:03:25.040 an editorial board member reviewer of 0:03:25.040,0:03:27.239 American Journal of Information science 0:03:27.239,0:03:29.760 and technology, and is a member of the 0:03:29.760,0:03:31.920 prestigious high edging professor for 0:03:31.920,0:03:34.159 undergraduate, and graduate programs at 0:03:34.159,0:03:36.720 multiple universities in the US. And as a 0:03:36.720,0:03:38.920 reviewer for the doctoral program at the 0:03:38.920,0:03:42.239 University of Karachi in Pakistan, he is 0:03:42.239,0:03:44.400 the author of multiple cyber security 0:03:44.400,0:03:46.879 publication and articles including cyber 0:03:46.879,0:03:49.519 security issues in blockchain challenges 0:03:49.519,0:03:52.200 and possible solution. And he is one of 0:03:52.200,0:03:54.200 the co-authors and reviewers of the 0:03:54.200,0:03:56.840 worldwide acclaimed book intrusion 0:03:56.840,0:03:58.680 detection 0:03:58.680,0:04:01.280 guide prior to obtaining his doctoral 0:04:01.280,0:04:02.799 degree in information systems and 0:04:02.799,0:04:04.640 Technologies from the University of 0:04:04.640,0:04:08.040 Phoenix. Dr. Lewis earned a bachelor's in 0:04:08.040,0:04:11.599 sciences and radio technical and 0:04:11.599,0:04:14.159 electronic engineering 0:04:14.159,0:04:15.439 bachelor in science in 0:04:15.439,0:04:17.680 telecommunications, and networking and a 0:04:17.680,0:04:19.519 master in science in mathematics and 0:04:19.519,0:04:20.600 computer 0:04:20.600,0:04:22.840 sciences. Without any further delay, I 0:04:22.840,0:04:25.759 would hand over the session to you, Dr. 0:04:25.759,0:04:30.280 Lewis. Thank you very much. Thanks. Okay. 0:04:30.280,0:04:32.960 Good morning, everybody. Good afternoon. 0:04:32.960,0:04:35.440 Good night depending of the specific 0:04:35.440,0:04:38.440 area in which you decide, we are going to 0:04:38.440,0:04:40.479 have an interesting conversation today 0:04:40.479,0:04:42.479 about digital forensic best practice 0:04:42.479,0:04:44.479 from data acquisition to analysis. This 0:04:44.479,0:04:47.280 is the title of the presentation of the 0:04:47.280,0:04:50.720 subject, and I'm more than happy to be 0:04:50.720,0:04:52.680 here with you guys and sharing some of 0:04:52.680,0:04:57.759 my expertise. So let's go and start the 0:04:57.759,0:05:00.720 conference. Okay, she already mentioned 0:05:00.720,0:05:02.520 some of my 0:05:02.520,0:05:04.960 credentials. I have been working in cyber 0:05:04.960,0:05:08.759 security at this point for over 41 years. 0:05:08.759,0:05:11.600 This is on my DNA a topic that I really 0:05:11.600,0:05:14.280 like and respect in love as I cannot 0:05:14.280,0:05:17.280 talk about any other topic in my life 0:05:17.280,0:05:20.840 before we go I have here a segment that 0:05:20.840,0:05:23.680 I put together for you okay digital 0:05:23.680,0:05:26.440 forensic best practice well 0:05:26.440,0:05:28.720 consideration number one just to break 0:05:28.720,0:05:31.360 off the eyes is that in the Lain of 0:05:31.360,0:05:35.479 cyber space where shs dance through ened 0:05:35.479,0:05:38.360 passage and data Whispers it Secrets the 0:05:38.360,0:05:41.600 digital detective emerg This Is Us the 0:05:41.600,0:05:44.479 digital forensic expert clat in lines of 0:05:44.479,0:05:47.880 code and armed with algorithms they seek 0:05:47.880,0:05:51.919 to youing Treasures of through and 0:05:51.919,0:05:55.080 solving anyma cyber crimes with a visual 0:05:55.080,0:05:58.080 magnifying glass this is what we do they 0:05:58.080,0:06:01.120 desect or we desect the digital tapestry 0:06:01.120,0:06:03.800 prevailing the footprints of elusive 0:06:03.800,0:06:07.960 cyber cul this is what cyber forensic or 0:06:07.960,0:06:11.400 digital forensic is about is stroke and 0:06:11.400,0:06:14.039 pixel holds a clue something that we can 0:06:14.039,0:06:18.360 use in our favor and in this mesmerizing 0:06:18.360,0:06:23.080 worlds of the digital era one and zeros 0:06:23.080,0:06:25.919 the app of digital forensic you Falls 0:06:25.919,0:06:28.960 youling the secret of the digital real 0:06:28.960,0:06:33.599 so forensic is about finding evidence 0:06:33.599,0:06:36.360 that can lead to a particular process it 0:06:36.360,0:06:38.639 can be a legal process it can be any 0:06:38.639,0:06:41.120 other kind of process but what is 0:06:41.120,0:06:44.199 digital forensic from my point of view 0:06:44.199,0:06:47.120 well I mention I guess already that I'm 0:06:47.120,0:06:50.039 working in cyber security for 41 years 0:06:50.039,0:06:52.720 my specializations are in penetration 0:06:52.720,0:06:55.120 testing data recovery and digital 0:06:55.120,0:06:57.039 currency have been working for the 0:06:57.039,0:06:59.400 police department at multiple places 0:06:59.400,0:07:02.879 doing digital forensic for l so I try to 0:07:02.879,0:07:06.080 put the easy definition for you from my 0:07:06.080,0:07:08.360 standpoint about what digital forensic 0:07:08.360,0:07:11.720 is digital forensic investigate digital 0:07:11.720,0:07:15.000 devices and electronic data to un cover 0:07:15.000,0:07:17.639 evidence please note that I don't say 0:07:17.639,0:07:20.120 electronic information I use the word 0:07:20.120,0:07:21.919 data 0:07:21.919,0:07:24.199 intentionally understand digital events 0:07:24.199,0:07:27.759 and TR illicit activities this is a key 0:07:27.759,0:07:30.759 component of digital forensic normally 0:07:30.759,0:07:33.879 speaking digital forensic happens of 0:07:33.879,0:07:37.160 course after the facts and the idea of 0:07:37.160,0:07:40.759 digital forensic is identifying phes 0:07:40.759,0:07:43.639 okay that lead to a particular data that 0:07:43.639,0:07:45.840 we can convey together and make a 0:07:45.840,0:07:49.039 conclusion it involves the systematic 0:07:49.039,0:07:51.759 collection preservation analysis and 0:07:51.759,0:07:54.360 presentation of digital evidence IL 0:07:54.360,0:07:56.520 legal proceedings and this is a key 0:07:56.520,0:07:59.440 today because we are technology defend 0:07:59.440,0:08:02.000 then and there are multiple States at 0:08:02.000,0:08:05.199 least in USA in some other countries in 0:08:05.199,0:08:07.440 which digital forensic is still in a 0:08:07.440,0:08:10.280 limbo because it's not accepted in the 0:08:10.280,0:08:13.199 court of law okay so this is very 0:08:13.199,0:08:16.159 important to keep in mind what are we 0:08:16.159,0:08:18.360 going to do from the digital forensic 0:08:18.360,0:08:20.800 standpoint the data collection process 0:08:20.800,0:08:23.319 and the analysis digital forensic 0:08:23.319,0:08:25.639 experts use specialized techniques and 0:08:25.639,0:08:29.280 tools to find out data from computers 0:08:29.280,0:08:32.399 smartphones networks and digital storage 0:08:32.399,0:08:34.958 media to support investigations and 0:08:34.958,0:08:37.559 resolve legal matter so this is 0:08:37.559,0:08:40.559 basically what the digital forensic is 0:08:40.559,0:08:42.839 about let's go and start with the 0:08:42.839,0:08:45.720 technical part which is the topic I like 0:08:45.720,0:08:49.440 more okay let's go and talk about those 0:08:49.440,0:08:51.519 30 best practices that I'm putting 0:08:51.519,0:08:53.680 together for you at the end of the 0:08:53.680,0:08:55.200 presentation you will be having the 0:08:55.200,0:08:57.839 opportunity to ask as many questions as 0:08:57.839,0:09:01.079 you like no number one you have to 0:09:01.079,0:09:03.760 follow the legal and ethical standards 0:09:03.760,0:09:06.360 for this particular first one I am not 0:09:06.360,0:09:08.680 going to make any comment I believe that 0:09:08.680,0:09:12.279 ethics is a component is a key component 0:09:12.279,0:09:14.959 of cyber security expert do we always 0:09:14.959,0:09:18.360 have to follow the rules we always must 0:09:18.360,0:09:21.120 follow the legal procedures in the 0:09:21.120,0:09:24.079 places in which we operate because every 0:09:24.079,0:09:26.640 single place is different component 0:09:26.640,0:09:30.640 number two resar the original evidence 0:09:30.640,0:09:33.240 this is a key okay you always have to 0:09:33.240,0:09:35.480 maintain the Integrity of the original 0:09:35.480,0:09:38.320 evidence to ensure it is admissible in 0:09:38.320,0:09:42.279 court any kind of manipulation any kind 0:09:42.279,0:09:46.240 of modification is going to end in 0:09:46.240,0:09:48.880 disqualification from the court system 0:09:48.880,0:09:50.920 document everything this is something 0:09:50.920,0:09:52.839 that technical people like me doesn't 0:09:52.839,0:09:56.240 like to much but when when it comes to 0:09:56.240,0:09:58.880 digital currency we have to document 0:09:58.880,0:10:01.240 every every single step we do we have to 0:10:01.240,0:10:04.360 do video recording of all the steps we 0:10:04.360,0:10:07.360 follow and we we want to make sure that 0:10:07.360,0:10:09.760 everything is documented and recorded in 0:10:09.760,0:10:13.120 the specific chronological order this is 0:10:13.120,0:10:16.160 a key component as well for the digital 0:10:16.160,0:10:19.079 forensic or investigation to be accepted 0:10:19.079,0:10:22.760 in the law in the code of law secur the 0:10:22.760,0:10:25.600 ass ensure that physical and digital 0:10:25.600,0:10:27.880 crime Maes are secured to prevent 0:10:27.880,0:10:29.920 contamination or 0:10:29.920,0:10:33.399 if you present anything in the court and 0:10:33.399,0:10:35.279 the opposite 0:10:35.279,0:10:38.040 part have the ability to prove that 0:10:38.040,0:10:40.440 something was not preserved the 0:10:40.440,0:10:43.440 conversation is over chain of custody 0:10:43.440,0:10:45.279 and I'm going to repeat that more than 0:10:45.279,0:10:48.399 once during the presentation I'm 0:10:48.399,0:10:51.600 sorry chain of custody is how you 0:10:51.600,0:10:53.160 establish and 0:10:53.160,0:10:56.240 maintain the evidence and the process 0:10:56.240,0:10:58.839 that facilitate how the track of the 0:10:58.839,0:11:02.000 track tring process is handled use right 0:11:02.000,0:11:04.040 blocking tools this is another key 0:11:04.040,0:11:07.480 component of digital forensic it means 0:11:07.480,0:11:10.120 that you have to use the the appropriate 0:11:10.120,0:11:12.399 hardware and software that allows for 0:11:12.399,0:11:14.360 right blockers when you are collecting 0:11:14.360,0:11:17.800 data to prevent alteration there are a 0:11:17.800,0:11:20.240 set of tools you can use and at the end 0:11:20.240,0:11:22.440 of the presentation I'm going to provide 0:11:22.440,0:11:25.880 you with the set of tools a specific set 0:11:25.880,0:11:29.240 of tools you can use as a a right 0:11:29.240,0:11:32.560 blocking tools verifies hashing or hash 0:11:32.560,0:11:35.920 values is how you calculate and compare 0:11:35.920,0:11:38.880 hash values to confirm data Integrity 0:11:38.880,0:11:41.480 there is a confusion about integrity 0:11:41.480,0:11:44.240 confidentiality and availability in 0:11:44.240,0:11:46.519 digital forensic the most important 0:11:46.519,0:11:49.639 component is integrity it means that we 0:11:49.639,0:11:52.560 have to do every single effort to make 0:11:52.560,0:11:55.040 sure that the data is not modified in 0:11:55.040,0:11:58.079 any possible ways from the time we 0:11:58.079,0:11:59.560 arrive to the 0:11:59.560,0:12:02.440 to the time that we present the evidence 0:12:02.440,0:12:05.560 in the Cod and after that as well so the 0:12:05.560,0:12:08.839 other component is collect volatile data 0:12:08.839,0:12:12.600 s okay it it make obviously perfect 0:12:12.600,0:12:15.800 sense so you have to prioritize this 0:12:15.800,0:12:18.399 type of data collection as it can be 0:12:18.399,0:12:20.480 lost or modified when the syst is 0:12:20.480,0:12:23.279 powered down for many of you what I'm 0:12:23.279,0:12:25.120 going to tell you probably is going to 0:12:25.120,0:12:28.399 sound not appropriate and this is the 0:12:28.399,0:12:29.720 following 0:12:29.720,0:12:32.199 assessment we have the perception we 0:12:32.199,0:12:34.320 have been told from the time that we 0:12:34.320,0:12:36.880 arrived to the school and even at work 0:12:36.880,0:12:39.519 that information or data data no 0:12:39.519,0:12:43.000 information data in R memory Random 0:12:43.000,0:12:45.360 Access Memory disappear when the 0:12:45.360,0:12:50.040 computer is shooting down back ER in 0:12:50.040,0:12:53.040 2019 I make a presentation similar to 0:12:53.040,0:12:55.199 this one for this Council as well in 0:12:55.199,0:12:58.279 which I prove that the data in R memory 0:12:58.279,0:13:01.320 can be recover okay so what we have been 0:13:01.320,0:13:03.920 learning in multiple places what you can 0:13:03.920,0:13:06.959 easily find in Google that data in Ram 0:13:06.959,0:13:09.120 is lost when the computer when the 0:13:09.120,0:13:11.600 computers are powered down is not 0:13:11.600,0:13:14.880 exactly correct the other component is 0:13:14.880,0:13:17.360 forensic Imaging you have to create 0:13:17.360,0:13:19.920 forensic image of a storage devices to 0:13:19.920,0:13:22.560 work with copies and always have to 0:13:22.560,0:13:25.440 preser the original evidence this is a 0:13:25.440,0:13:30.040 requirement in the court of law you must 0:13:30.040,0:13:32.880 pres the original evidence every single 0:13:32.880,0:13:35.320 time the other component is the data 0:13:35.320,0:13:38.600 recovery data recovery is very close 0:13:38.600,0:13:41.639 Associated to digital forensic for 0:13:41.639,0:13:43.800 obvious reason okay and you have to 0:13:43.800,0:13:46.639 employ a specialize tools to recover 0:13:46.639,0:13:51.399 deleted or hidden data this is also H 0:13:51.399,0:13:53.800 something to keep in mind and at the end 0:13:53.800,0:13:56.199 I'm going to provide some specific 0:13:56.199,0:13:58.440 applications you can use to do data 0:13:58.440,0:14:00.040 recover 0:14:00.040,0:14:02.959 timeline analysis you have to construct 0:14:02.959,0:14:06.160 and analyze timelines to understand the 0:14:06.160,0:14:09.399 sequence of event what happen first the 0:14:09.399,0:14:12.560 chronological order is a mandatory 0:14:12.560,0:14:14.720 requirement in the court of law you 0:14:14.720,0:14:17.000 cannot provide evidence in the court of 0:14:17.000,0:14:19.639 law in a random manner you have to 0:14:19.639,0:14:22.440 follow the specific chronological order 0:14:22.440,0:14:25.240 the other consideration is preserving 0:14:25.240,0:14:28.079 the metadata ensuring metadata Integrity 0:14:28.079,0:14:30.680 to verify The Source timing and 0:14:30.680,0:14:33.759 authenticity of the digital artifact you 0:14:33.759,0:14:36.480 are going to present in the court of law 0:14:36.480,0:14:39.839 use the non good reference data and it 0:14:39.839,0:14:42.240 means that you have to compare the 0:14:42.240,0:14:44.759 collected the collected data with non 0:14:44.759,0:14:46.800 good reference data to identify 0:14:46.800,0:14:50.600 anomalies this is in statistical process 0:14:50.600,0:14:53.839 statistic mathematic many times you have 0:14:53.839,0:14:57.079 to do to do that as well anti forensic 0:14:57.079,0:14:59.800 awareness you have to be aware of the 0:14:59.800,0:15:03.079 anti-forensic techniques and conent act 0:15:03.079,0:15:05.920 then there are multiple applications 0:15:05.920,0:15:09.360 that work against digital forensic so 0:15:09.360,0:15:11.959 you have to be aware of that and before 0:15:11.959,0:15:14.959 you start the digital forensic 0:15:14.959,0:15:18.880 analysis why you are doing or working in 0:15:18.880,0:15:21.519 the digital forensic data collection 0:15:21.519,0:15:24.040 process you want to make sure that you 0:15:24.040,0:15:27.199 don't have any anti-forensic awareness 0:15:27.199,0:15:30.000 tool install or appli ation in the 0:15:30.000,0:15:33.079 particular host or host in which you are 0:15:33.079,0:15:35.560 going to conduct the investigation other 0:15:35.560,0:15:37.880 very important component is cross 0:15:37.880,0:15:41.399 validation this is what brings actually 0:15:41.399,0:15:45.079 reputation and respect to the data you 0:15:45.079,0:15:48.639 are presenting in the court of law okay 0:15:48.639,0:15:51.160 so the standard operating procedures 0:15:51.160,0:15:53.560 very important component that is many 0:15:53.560,0:15:56.279 times Overlook at and it's about 0:15:56.279,0:15:59.279 developing and follow so be that 0:15:59.279,0:16:02.399 maintain or to maintain consistency this 0:16:02.399,0:16:04.959 is why documentation is key and it was 0:16:04.959,0:16:07.560 presented in a slide number one training 0:16:07.560,0:16:10.800 in certification is other component and 0:16:10.800,0:16:12.639 this is relevant the reason why it's 0:16:12.639,0:16:15.279 relevant I understand that you can learn 0:16:15.279,0:16:18.639 many things by yourself this is becoming 0:16:18.639,0:16:21.759 most popular as we become more 0:16:21.759,0:16:24.680 technology dependent this is normal and 0:16:24.680,0:16:27.639 is expected but certifications still 0:16:27.639,0:16:30.800 having a particular value and there are 0:16:30.800,0:16:33.279 multiple questions in certification 0:16:33.279,0:16:36.519 exams in general terms not only in Easy 0:16:36.519,0:16:39.839 couns certifications or others in which 0:16:39.839,0:16:42.240 most likely if you don't go through the 0:16:42.240,0:16:44.720 certification process you will never 0:16:44.720,0:16:47.319 find out and this is what people said or 0:16:47.319,0:16:49.759 some people said well this is a 0:16:49.759,0:16:52.800 theoretical information digital forensic 0:16:52.800,0:16:55.759 involve a lot of theoretical information 0:16:55.759,0:16:58.040 a lot remember that we are doing the 0:16:58.040,0:17:01.199 analysis is at a low 0:17:01.199,0:17:04.839 level from the technical standpoint so 0:17:04.839,0:17:07.319 theory is extremely important and 0:17:07.319,0:17:10.599 relevant when when we do forensic 0:17:10.599,0:17:13.400 investigation digital forensic the same 0:17:13.400,0:17:15.599 happens with the medical doctors when 0:17:15.599,0:17:18.119 the medical doctors do a forensic 0:17:18.119,0:17:20.480 analysis into a body of somebody that 0:17:20.480,0:17:23.480 pass away they also employ a lot of 0:17:23.480,0:17:25.400 theoretical knowledge they have been 0:17:25.400,0:17:27.959 accumulating digital forensic is not 0:17:27.959,0:17:29.120 different 0:17:29.120,0:17:32.400 the other consideration is the expert 0:17:32.400,0:17:35.120 testimony okay I am for example I live 0:17:35.120,0:17:38.720 in Miami Florida USA and I am one of the 0:17:38.720,0:17:43.080 11 experts certified by the legal system 0:17:43.080,0:17:47.799 in the 11 District meaning that when you 0:17:47.799,0:17:49.880 go to the court you have to be 0:17:49.880,0:17:53.360 classified as an expert in order to 0:17:53.360,0:17:57.600 provide comments and evidence otherwise 0:17:57.600,0:17:59.760 probably you know more than big about 0:17:59.760,0:18:01.720 technology but you will not be able to 0:18:01.720,0:18:04.400 speak in the court because what we said 0:18:04.400,0:18:07.039 in the court is relevant for the case 0:18:07.039,0:18:10.039 and with our wording or statement and 0:18:10.039,0:18:12.720 through the evidence we provide we have 0:18:12.720,0:18:15.799 the ability to put somebody in jail or 0:18:15.799,0:18:18.919 release this person from being in jail 0:18:18.919,0:18:23.320 so this is extremely important okay so 0:18:23.320,0:18:25.559 evidence storage this is one of the most 0:18:25.559,0:18:27.960 important component you oponent in the 0:18:27.960,0:18:31.120 cour or in your company is going to try 0:18:31.120,0:18:33.679 their best in order to Cho down what you 0:18:33.679,0:18:36.360 are presenting so you have to safely 0:18:36.360,0:18:38.840 store and protect evidence to maintains 0:18:38.840,0:18:42.080 its Integrity Integrity is the most 0:18:42.080,0:18:44.880 important characteristic or 0:18:44.880,0:18:47.840 consideration in digital forensic 0:18:47.840,0:18:51.720 without any other close to so Integrity 0:18:51.720,0:18:55.360 is everything in digital forening okay 0:18:55.360,0:18:57.880 data encryption there are multiple cases 0:18:57.880,0:19:00.480 in which is you are going to do digital 0:19:00.480,0:19:04.400 forensic in in encrypted storage devices 0:19:04.400,0:19:06.919 in encrypted data in encrypted 0:19:06.919,0:19:11.159 applications you you need to develop the 0:19:11.159,0:19:13.559 possibility to handle the encrypted data 0:19:13.559,0:19:16.640 and understand ention methods I have 0:19:16.640,0:19:18.679 between the Publications I have I have 0:19:18.679,0:19:21.679 over 25 Publications about different 0:19:21.679,0:19:25.200 topics and Concepts in cyber security a 0:19:25.200,0:19:28.360 few of them probably five or six are 0:19:28.360,0:19:31.400 specifically about encryption if we want 0:19:31.400,0:19:35.320 to do digital forensic we want to become 0:19:35.320,0:19:38.679 data encryption expert there is no other 0:19:38.679,0:19:41.400 ways I understand that multiple people 0:19:41.400,0:19:45.720 doesn't like math statistics physics Etc 0:19:45.720,0:19:47.760 but this is a requirement to do an 0:19:47.760,0:19:50.320 appropriate digital forensic assessment 0:19:50.320,0:19:53.760 is a necessity today okay the other 0:19:53.760,0:19:56.320 consideration and this is for the people 0:19:56.320,0:19:58.520 that love technology like me attend in 0:19:58.520,0:20:01.679 or watching this conference is Network I 0:20:01.679,0:20:04.480 am a big fan of network I have been 0:20:04.480,0:20:07.559 working in network straight for 41 years 0:20:07.559,0:20:09.720 my doctoral degree is in 0:20:09.720,0:20:12.919 telecommunications and cyber security so 0:20:12.919,0:20:16.880 network is on my DNA I love network over 0:20:16.880,0:20:20.240 every other other topic in Information 0:20:20.240,0:20:23.120 Technology network analysis is the 0:20:23.120,0:20:25.480 possibility for you to analyze Network 0:20:25.480,0:20:28.760 traffic logs and data to trace digital 0:20:28.760,0:20:30.760 Footprints I'm pretty sure that 0:20:30.760,0:20:34.320 everybody have a tool on M and of course 0:20:34.320,0:20:37.760 this tool most likely is part of the 0:20:37.760,0:20:39.960 tools that I have been that I'm going to 0:20:39.960,0:20:42.280 provide in the last slide for you guys 0:20:42.280,0:20:44.600 but network analysis today from the 0:20:44.600,0:20:46.919 digital forensic standpoint is 0:20:46.919,0:20:49.919 everything everything is Network related 0:20:49.919,0:20:53.280 one or another way mware analysis we 0:20:53.280,0:20:55.640 need to develop the possibility to 0:20:55.640,0:20:58.679 understand mware behavior and analys 0:20:58.679,0:21:02.960 and how those mwar impact on systems 0:21:02.960,0:21:05.080 this needs to be incorporated as part of 0:21:05.080,0:21:07.720 the cyber security analysis when you 0:21:07.720,0:21:10.840 perform digital forensic today Cloud 0:21:10.840,0:21:13.600 forensic I don't have to highlight how 0:21:13.600,0:21:17.240 important Cloud operation is okay we are 0:21:17.240,0:21:19.720 moving the operation to the cloud and 0:21:19.720,0:21:21.640 for the one that is still having or 0:21:21.640,0:21:24.679 ruling the operation on premise there is 0:21:24.679,0:21:27.039 a high expectation that sooner than 0:21:27.039,0:21:29.320 later to move the operation to the cloud 0:21:29.320,0:21:31.400 multiple convenience but the 0:21:31.400,0:21:33.400 consideration at this point is not the 0:21:33.400,0:21:36.799 benefit of all comes of the cloud from 0:21:36.799,0:21:39.559 the forensic standpoint when you do 0:21:39.559,0:21:42.039 Cloud forensic the situation is little 0:21:42.039,0:21:45.080 different from when you do a 0:21:45.080,0:21:48.279 investigations on premise so you have to 0:21:48.279,0:21:50.640 adapt methodologies for investigating 0:21:50.640,0:21:53.279 data in the cloud in dependently of the 0:21:53.279,0:21:56.039 cloud provided it doesn't matter if this 0:21:56.039,0:22:00.200 is AWS Google assur whoever it is the 0:22:00.200,0:22:02.760 operation in the cloud is somehow 0:22:02.760,0:22:04.679 different from the digital forensic 0:22:04.679,0:22:07.320 standpoint starting from the way you 0:22:07.320,0:22:08.480 access the 0:22:08.480,0:22:12.720 data remote forensic is the opportunity 0:22:12.720,0:22:16.080 to develop a skills for collecting and 0:22:16.080,0:22:19.240 analyzing data from a remote location 0:22:19.240,0:22:22.000 this is happening more frequent now as 0:22:22.000,0:22:26.000 we become more ping work related in 0:22:26.000,0:22:28.960 multiple cases my own company knowing my 0:22:28.960,0:22:31.240 job at the government but on my own 0:22:31.240,0:22:33.520 company I have been doing in the last 0:22:33.520,0:22:36.080 two years three years probably two years 0:22:36.080,0:22:39.760 so at more remote digital forensic that 0:22:39.760,0:22:41.960 probably never before in my life so this 0:22:41.960,0:22:44.799 is an important skill to develop as way 0:22:44.799,0:22:47.679 case management is the way we use 0:22:47.679,0:22:49.760 digital forensic case management to 0:22:49.760,0:22:52.880 organize and investigations I mention to 0:22:52.880,0:22:55.840 you I go to the court very often more 0:22:55.840,0:23:00.039 often than what I want very very often 0:23:00.039,0:23:04.279 okay and they goes and scrutinize every 0:23:04.279,0:23:06.480 single protocol you present every single 0:23:06.480,0:23:08.880 artifact every single document the 0:23:08.880,0:23:11.320 specific chronological order this is a 0:23:11.320,0:23:14.600 complex process it's not only collecting 0:23:14.600,0:23:17.760 the data the digital forensic data doing 0:23:17.760,0:23:20.000 the analysis and going to the court and 0:23:20.000,0:23:22.960 talking okay the process is much more 0:23:22.960,0:23:25.200 complex than this 0:23:25.200,0:23:27.400 collaboration collaborate with other 0:23:27.400,0:23:29.240 experts and I leave one in the middle 0:23:29.240,0:23:31.520 that I'm going to highlight in a few 0:23:31.520,0:23:34.080 collaborate with other experts law 0:23:34.080,0:23:37.039 enforcement or Organization for complex 0:23:37.039,0:23:40.120 cases cases are different in between of 0:23:40.120,0:23:41.880 course this is obvious and I know you 0:23:41.880,0:23:44.880 know that okay but you have some cases 0:23:44.880,0:23:47.080 sometimes in which the forensic analysis 0:23:47.080,0:23:50.279 become very complex on those particular 0:23:50.279,0:23:53.120 cases my advice is collaborate with 0:23:53.120,0:23:55.720 others okay you do better when you work 0:23:55.720,0:23:58.400 as part of the team and not when we work 0:23:58.400,0:24:01.159 independently and I es skip the data 0:24:01.159,0:24:04.120 privacy compliance for a minute because 0:24:04.120,0:24:07.520 this is relevant every single state 0:24:07.520,0:24:09.400 every single no 0:24:09.400,0:24:14.000 exception a state court operate on the 0:24:14.000,0:24:16.440 different requirements so you want to 0:24:16.440,0:24:19.320 make sure that you follow the Privacy 0:24:19.320,0:24:22.799 regulations in your specific place okay 0:24:22.799,0:24:24.600 and by the way I'm going to ask you a 0:24:24.600,0:24:27.480 question I'm not expecting any response 0:24:27.480,0:24:30.440 but the question is by any chance do you 0:24:30.440,0:24:33.399 know the specific digital forensic 0:24:33.399,0:24:36.360 regulations in the place you live ask 0:24:36.360,0:24:38.919 the question yourself and probably some 0:24:38.919,0:24:42.320 of you is going to respond no this is a 0:24:42.320,0:24:45.279 critical thing continuous learning you 0:24:45.279,0:24:48.799 need to F pass for what we do okay cyber 0:24:48.799,0:24:51.799 security is an specialization of it from 0:24:51.799,0:24:54.520 my point of view the most fascinating 0:24:54.520,0:24:57.320 Topic in the world in the planet this is 0:24:57.320,0:25:00.279 the only topic I can talk myself about 0:25:00.279,0:25:04.399 it for 25 hours without drinking water 0:25:04.399,0:25:07.640 this is my life I dedicate multiple 0:25:07.640,0:25:10.360 hours every single day seven days a week 0:25:10.360,0:25:13.039 even when it creates some personal 0:25:13.039,0:25:15.960 problems with my family Etc this is on 0:25:15.960,0:25:19.960 my DNA I encourage each of you if you 0:25:19.960,0:25:23.679 are not doing to dedicate your life to 0:25:23.679,0:25:27.120 become a digital forensic expert digital 0:25:27.120,0:25:30.320 forensic is one of the most fascinating 0:25:30.320,0:25:33.120 topics in the planet okay and you want 0:25:33.120,0:25:36.559 to be atten to this type of things 0:25:36.559,0:25:38.520 report and presentation when you go to 0:25:38.520,0:25:41.360 the court or when you present your 0:25:41.360,0:25:44.080 outcomes of all the digital foric 0:25:44.080,0:25:46.600 outcomes to your organization you want 0:25:46.600,0:25:48.360 to make sure that you use a clear 0:25:48.360,0:25:52.320 language you are concise and you go 0:25:52.320,0:25:54.559 ready for the presentation questions and 0:25:54.559,0:25:56.679 answers you never wants to go to the 0:25:56.679,0:25:59.000 court you prepared okay never in your 0:25:59.000,0:26:00.880 life this is not appropriate because at 0:26:00.880,0:26:04.440 the end your assessment have the 0:26:04.440,0:26:07.520 possibility to put somebody in jail or 0:26:07.520,0:26:09.080 somebody will be fired from the 0:26:09.080,0:26:12.320 organization or not so what we said is 0:26:12.320,0:26:16.200 relevant our wording have a huge impact 0:26:16.200,0:26:18.960 in other people's lives it's important 0:26:18.960,0:26:21.399 to be attentive to that one of the most 0:26:21.399,0:26:24.720 relevant topic that I have been using in 0:26:24.720,0:26:27.679 my practice is the use of artificial 0:26:27.679,0:26:30.760 intelligence in digital forensic since 0:26:30.760,0:26:35.919 2017 this is not a topic that is well 0:26:35.919,0:26:39.480 known at this point the reason why I 0:26:39.480,0:26:41.919 really want to share my experience 0:26:41.919,0:26:44.919 practical experience with you guys 0:26:44.919,0:26:47.919 digital evidence analysis how artificial 0:26:47.919,0:26:51.720 intelligence can help us well everybody 0:26:51.720,0:26:55.320 knows that we have multiple applications 0:26:55.320,0:26:58.399 that we can use in order to analyze 0:26:58.399,0:27:00.480 the different kind of media that can be 0:27:00.480,0:27:03.440 generated as for example text image and 0:27:03.440,0:27:06.279 videos artificial intelligence studes 0:27:06.279,0:27:09.159 have the ability to detect and flag 0:27:09.159,0:27:11.320 potential relevant content for 0:27:11.320,0:27:13.399 investigations especially from the 0:27:13.399,0:27:17.000 timing standpoint digital forensic is 0:27:17.000,0:27:19.919 extremely time consuming very very time 0:27:19.919,0:27:23.200 consuming it's extremely complex this is 0:27:23.200,0:27:27.000 probably along with data recovery the 0:27:27.000,0:27:29.720 most comp Flex specialization in cyber 0:27:29.720,0:27:32.760 security so the use of artificial 0:27:32.760,0:27:35.679 intelligence in our favor is very 0:27:35.679,0:27:38.159 convenient and at the end I'm going to 0:27:38.159,0:27:40.720 include as well or actually I included 0:27:40.720,0:27:44.039 in the list a particular artificial 0:27:44.039,0:27:45.919 intelligence tool that you can use in 0:27:45.919,0:27:49.159 your favor the other use of artificial 0:27:49.159,0:27:51.600 intelligence is par 0:27:51.600,0:27:54.159 recognition artificial intelligence can 0:27:54.159,0:27:56.960 identifies parents in data helping 0:27:56.960,0:27:59.720 investigator recognize anomalies or 0:27:59.720,0:28:02.720 correlations in digital artifacts that 0:28:02.720,0:28:05.720 may indicate the criminal activity and 0:28:05.720,0:28:07.640 out of the whole sentence the most 0:28:07.640,0:28:09.600 important question is the and no 0:28:09.600,0:28:12.000 question what the key word is 0:28:12.000,0:28:15.080 correlation how we correlate data by 0:28:15.080,0:28:17.039 using artificial intelligence the 0:28:17.039,0:28:19.399 process is going to be simplified 0:28:19.399,0:28:22.000 dramatically speaking based of my 0:28:22.000,0:28:25.080 personal experience the other component 0:28:25.080,0:28:28.240 is the NLP this can be used to 0:28:28.240,0:28:31.440 text based evidence including sh logs 0:28:31.440,0:28:33.919 and emails to uncover communication 0:28:33.919,0:28:37.039 patterns or hearing minuts the lot of 0:28:37.039,0:28:39.679 evidence that we collect about 0:28:39.679,0:28:43.760 65% is included in emails chats 0:28:43.760,0:28:48.080 documents Etc so this is when NLP plays 0:28:48.080,0:28:49.960 a predominant role artificial 0:28:49.960,0:28:52.120 intelligence in the digital forensic 0:28:52.120,0:28:55.399 analysis for image and video analysis 0:28:55.399,0:28:58.159 incredible benefits okay you have the 0:28:58.159,0:29:00.039 ability to analyze the multimedia 0:29:00.039,0:29:02.559 content to identify object pH and 0:29:02.559,0:29:05.000 potentially illegal or 0:29:05.000,0:29:08.320 sensitive content I'm sure that a word 0:29:08.320,0:29:11.200 is coming to your mind right now estigo 0:29:11.200,0:29:14.000 yes this is part of the estigo but it's 0:29:14.000,0:29:18.480 not similar of doing atigo by using a 0:29:18.480,0:29:20.440 particular application that when you 0:29:20.440,0:29:23.159 employ artificial intelligence tools 0:29:23.159,0:29:25.279 that are dedicated exclusively for 0:29:25.279,0:29:28.360 digital forensic the benefit is really 0:29:28.360,0:29:31.080 awesome predictive analysis machine 0:29:31.080,0:29:33.720 learning models can predict potential 0:29:33.720,0:29:37.120 areas of interest in an investigation 0:29:37.120,0:29:39.559 guiding forensic expert to focus on 0:29:39.559,0:29:42.039 critical evidence imagine that you are 0:29:42.039,0:29:45.279 analyzing the hard dve that is one 0:29:45.279,0:29:49.039 terabyte okay one terabyte hold a lot of 0:29:49.039,0:29:52.600 documents videos pictures sounds Etc you 0:29:52.600,0:29:55.080 know that okay you know that if you are 0:29:55.080,0:29:56.960 attending these conferences because you 0:29:56.960,0:29:59.360 are very familiar with information 0:29:59.360,0:30:02.880 technology C security digital forensic 0:30:02.880,0:30:06.640 well how you find the specific data un 0:30:06.640,0:30:09.480 need to prove something in the court of 0:30:09.480,0:30:12.360 law well you have to be very careful 0:30:12.360,0:30:14.519 about the pieces of data you pick for 0:30:14.519,0:30:17.760 the analysis otherwise probably your 0:30:17.760,0:30:20.080 assessment is not appropriate and again 0:30:20.080,0:30:23.000 every single word we said in the court 0:30:23.000,0:30:26.159 of law or in the organization that we 0:30:26.159,0:30:29.720 are working for are relevant it implies 0:30:29.720,0:30:31.799 that probably somebody will be in jail 0:30:31.799,0:30:35.080 for 30 years probably somebody if we 0:30:35.080,0:30:38.440 talking about a huge crime like an 0:30:38.440,0:30:41.559 assassination a child pornography abuse 0:30:41.559,0:30:45.320 that implies somebody that die Etc our 0:30:45.320,0:30:48.600 assessment is critical okay we become 0:30:48.600,0:30:51.720 the role of the main role player when 0:30:51.720,0:30:53.880 digital forensic is involved we have to 0:30:53.880,0:30:56.240 be very careful about the way we do it 0:30:56.240,0:30:59.480 this is not a joke is very serious okay 0:30:59.480,0:31:01.480 predictive analysis machine learning 0:31:01.480,0:31:03.600 models or artificial intelligence are 0:31:03.600,0:31:06.320 pretty close in this concept can predict 0:31:06.320,0:31:08.480 potential areas of interest in 0:31:08.480,0:31:11.240 investigation but we talk about that 0:31:11.240,0:31:12.880 detection artificial intelligence 0:31:12.880,0:31:15.720 driving security tools can identify 0:31:15.720,0:31:17.960 cyber threats and potential cyber crime 0:31:17.960,0:31:20.519 activities helping laws en foring cyber 0:31:20.519,0:31:23.600 security things respond effectively and 0:31:23.600,0:31:27.240 proactively more important we all the 0:31:27.240,0:31:30.039 majority of us have multiple tools that 0:31:30.039,0:31:31.440 we call 0:31:31.440,0:31:34.519 Proactive H in our place of work okay we 0:31:34.519,0:31:37.600 have different kind of monitors Etc but 0:31:37.600,0:31:39.840 the possibility to do something in a 0:31:39.840,0:31:43.399 proactive mode is really what we want 0:31:43.399,0:31:45.639 evidence authentication artificial 0:31:45.639,0:31:47.120 intelligence can assist in the 0:31:47.120,0:31:49.360 authentication of digital evidence 0:31:49.360,0:31:51.440 ensuring its integrity and the 0:31:51.440,0:31:54.200 possibility of this data to be admitted 0:31:54.200,0:31:57.399 in cour data recovery artificial 0:31:57.399,0:32:00.440 intelligence help with the recovery of 0:32:00.440,0:32:02.279 the data that have been deleted 0:32:02.279,0:32:05.320 intentionally or un intentionally it 0:32:05.320,0:32:07.399 doesn't matter when we do digital 0:32:07.399,0:32:10.919 forensic we want to have as much data as 0:32:10.919,0:32:14.880 we can that serves to make a case 0:32:14.880,0:32:17.600 against a particular party from the 0:32:17.600,0:32:20.200 malware analysis standpoint the dig the 0:32:20.200,0:32:23.240 artificial intelligence bring a lot of 0:32:23.240,0:32:25.960 speed and this is needed because again 0:32:25.960,0:32:29.240 you are looking for needle in a ton of 0:32:29.240,0:32:33.039 water okay or in a tone of sand and this 0:32:33.039,0:32:35.639 is very complex from the network 0:32:35.639,0:32:37.880 forensic standpoint we are customed to 0:32:37.880,0:32:40.720 use tools as for example wih everybody 0:32:40.720,0:32:44.480 knows wih and I know that well anyways 0:32:44.480,0:32:46.559 there are so specific artificial 0:32:46.559,0:32:49.200 intelligence tools for Network forensic 0:32:49.200,0:32:53.240 analysis nowadays and I included two of 0:32:53.240,0:32:56.039 those tools in the list in in the last 0:32:56.039,0:32:59.440 slide automated trace this is one of the 0:32:59.440,0:33:01.559 most important consideration for you to 0:33:01.559,0:33:04.000 consider artificial intelligence in the 0:33:04.000,0:33:08.120 digital forensic speed okay it basically 0:33:08.120,0:33:11.039 this is the possibility to do 0:33:11.039,0:33:15.960 correlation between large data sets case 0:33:15.960,0:33:18.399 priori artificial intelligence can 0:33:18.399,0:33:20.480 assist investigators in priority 0:33:20.480,0:33:23.519 prioritizing cases based on factors like 0:33:23.519,0:33:25.960 severity potential impact or resource 0:33:25.960,0:33:29.200 allocation and it means timing 0:33:29.200,0:33:31.919 predictive policing super important 0:33:31.919,0:33:35.039 because until today digital forensic is 0:33:35.039,0:33:38.399 always reacted more we react to 0:33:38.399,0:33:40.840 something that happen the possibility to 0:33:40.840,0:33:44.120 make predictions in digital forensic is 0:33:44.120,0:33:46.519 fantastic it never happened before this 0:33:46.519,0:33:49.240 is new at least for me I start using 0:33:49.240,0:33:51.600 artificial intelligence back on my own 0:33:51.600,0:33:54.919 company 2017 and I have been able to use 0:33:54.919,0:33:55.960 that in 0:33:55.960,0:33:59.399 multiple cases for the police department 0:33:59.399,0:34:02.600 in Miami and another two cities in 0:34:02.600,0:34:06.639 Florida Tampa in St Petersburg and the 0:34:06.639,0:34:09.239 result have been amazing document 0:34:09.239,0:34:12.280 analysis you know that NLP can extract 0:34:12.280,0:34:14.800 information from documents and analyze 0:34:14.800,0:34:17.119 sexual content for investigations 0:34:17.119,0:34:19.079 artificial intelligence minimize 0:34:19.079,0:34:21.440 dramatically speaking the time needed 0:34:21.440,0:34:24.639 for that emotional recognition everybody 0:34:24.639,0:34:27.760 knows what happened with the desp 0:34:27.760,0:34:31.560 algorithms okay so we can use artificial 0:34:31.560,0:34:33.918 intelligence basically to analyze videos 0:34:33.918,0:34:38.040 which is awesome because our eyes our 0:34:38.040,0:34:40.239 muscles in our eyes doesn't have the 0:34:40.239,0:34:43.399 ability to lie we can lie when we speak 0:34:43.399,0:34:46.079 or we can try but the eyes the reaction 0:34:46.079,0:34:49.119 to a particular stimulus cannot be high 0:34:49.119,0:34:51.960 or cannot be modified so this is unique 0:34:51.960,0:34:54.480 from the data privacy and compliance 0:34:54.480,0:34:57.119 also you have the ability to out autom 0:34:57.119,0:35:00.079 attic to automate B 0:35:00.079,0:35:02.680 automate the specific data you want to 0:35:02.680,0:35:06.800 include as part of your report okay now 0:35:06.800,0:35:09.280 digital forensic data acquisition step 0:35:09.280,0:35:12.400 from my standpoint after 41 years 0:35:12.400,0:35:15.480 preservation we already talk about this 0:35:15.480,0:35:18.160 documentation preservation is integrity 0:35:18.160,0:35:21.320 okay this is the most important 0:35:21.320,0:35:24.119 consideration categorically speaking in 0:35:24.119,0:35:25.880 any kind of digital forensic 0:35:25.880,0:35:28.400 investigation you have to preserve the 0:35:28.400,0:35:31.320 data as it is and remember you never use 0:35:31.320,0:35:33.119 the original data for your forensic 0:35:33.119,0:35:36.520 analysis never you always use copy and 0:35:36.520,0:35:39.599 to do copies you have to use a bit by 0:35:39.599,0:35:43.320 bit applications bit by bit you cannot 0:35:43.320,0:35:46.800 copy bites or you cannot copy even data 0:35:46.800,0:35:49.160 and forget it about information so 0:35:49.160,0:35:52.359 preservation is the most important thing 0:35:52.359,0:35:54.520 documentation we already know that 0:35:54.520,0:35:56.960 everything needs to be documented okay 0:35:56.960,0:35:59.960 from the crime machine office to the 0:35:59.960,0:36:02.599 last Point chain of custody one more 0:36:02.599,0:36:04.640 time and I guess that I'm I'm going to 0:36:04.640,0:36:07.119 mention this one more time because gain 0:36:07.119,0:36:10.280 of custody means or opens the door for 0:36:10.280,0:36:13.079 you to present a case in the court of 0:36:13.079,0:36:17.400 law or to basically have the ability in 0:36:17.400,0:36:20.040 your organization to prove that what you 0:36:20.040,0:36:22.520 are presenting is appropriate you have 0:36:22.520,0:36:25.839 to plan how are you going to collect the 0:36:25.839,0:36:29.160 data you have to plan with anticipation 0:36:29.160,0:36:31.640 the specific tools you are going to use 0:36:31.640,0:36:34.760 what methods are you going to consider 0:36:34.760,0:36:37.200 in your data collection process this is 0:36:37.200,0:36:40.079 relevant and you always have to consider 0:36:40.079,0:36:44.040 the coms coms is probably more important 0:36:44.040,0:36:47.520 than PR when you select or decided to 0:36:47.520,0:36:51.119 use a particular application for the 0:36:51.119,0:36:54.160 data acquisition you always want to 0:36:54.160,0:36:57.359 focus on the negative people usually 0:36:57.359,0:36:59.680 tends to talk about the positive oh I 0:36:59.680,0:37:02.079 like why the Shar because this and that 0:37:02.079,0:37:03.560 it's better that you focus on the 0:37:03.560,0:37:06.880 negative in Information Technology 0:37:06.880,0:37:09.599 everything has cross and comes no 0:37:09.599,0:37:13.240 exceptions exceptions do not exist there 0:37:13.240,0:37:16.839 is not one exception everything positive 0:37:16.839,0:37:18.760 have something negative in information 0:37:18.760,0:37:20.880 technology and this is what you want to 0:37:20.880,0:37:24.599 focus on it to avoid problems at the end 0:37:24.599,0:37:27.800 Okay so 0:37:27.800,0:37:29.800 how about the verification process you 0:37:29.800,0:37:33.800 have to verify before you work with the 0:37:33.800,0:37:36.640 real data that the tools and methods you 0:37:36.640,0:37:39.960 selected work okay you never want to 0:37:39.960,0:37:42.560 mess up with the original data needed 0:37:42.560,0:37:45.359 with a copy you want to test in a test 0:37:45.359,0:37:48.359 environment your tools your methods your 0:37:48.359,0:37:50.400 approach the steps you are going to 0:37:50.400,0:37:53.440 follow is very time consuming it is but 0:37:53.440,0:37:56.960 by the way it's also very well paid is 0:37:56.960,0:37:58.920 very well paid the only thing I can tell 0:37:58.920,0:38:00.880 you that it's very well paid you have no 0:38:00.880,0:38:04.359 idea if you become a cyber security 0:38:04.359,0:38:07.200 expert and specialize in digital 0:38:07.200,0:38:10.680 forensic this is where the money is and 0:38:10.680,0:38:13.240 trust me this is where the money is okay 0:38:13.240,0:38:17.599 I'm telling you first person duplication 0:38:17.599,0:38:21.000 we talk about that already the only way 0:38:21.000,0:38:23.960 to do that is by creating bit forbit 0:38:23.960,0:38:27.119 image there is no other ways okay this 0:38:27.119,0:38:29.920 is why you you want to use PR blocking 0:38:29.920,0:38:31.920 devices software and Hardware I 0:38:31.920,0:38:34.560 mentioned that before Tex rooms and 0:38:34.560,0:38:37.040 hatching different concepts that some 0:38:37.040,0:38:40.160 people are still confusing about it okay 0:38:40.160,0:38:42.040 there is a huge difference between the 0:38:42.040,0:38:46.040 two the main one is that Asing is a 0:38:46.040,0:38:49.760 oneway function you go from the left to 0:38:49.760,0:38:51.920 the right and usually you don't have the 0:38:51.920,0:38:53.720 ability to come back to replicate the 0:38:53.720,0:38:56.839 process of course if you have the 0:38:56.839,0:38:59.280 algorithms on hand then you can do 0:38:59.280,0:39:02.040 reverse engineering this is obvious but 0:39:02.040,0:39:04.319 this is not what happen in regular 0:39:04.319,0:39:06.920 conditions okay so check zoom and 0:39:06.920,0:39:10.319 hatching both minimize the possibility 0:39:10.319,0:39:13.200 that you mistake in your digital 0:39:13.200,0:39:15.640 forensic ER 0:39:15.640,0:39:18.240 analysis the other component is 0:39:18.240,0:39:21.599 acquisition okay so how are you going to 0:39:21.599,0:39:23.599 collect the data what particular tools 0:39:23.599,0:39:26.040 are you going to use you always have to 0:39:26.040,0:39:29.359 maintain a strict R only access to the 0:39:29.359,0:39:31.560 source if you have the ability to 0:39:31.560,0:39:34.640 manipulate the data in the source you 0:39:34.640,0:39:37.640 have the ability to tamper with actually 0:39:37.640,0:39:39.680 the most important consideration out of 0:39:39.680,0:39:43.680 the CIA which is integrity if the 0:39:43.680,0:39:46.920 opponent is the opposite part to you in 0:39:46.920,0:39:49.560 your organization the defendant in other 0:39:49.560,0:39:53.520 words have the ability to prove that 0:39:53.520,0:39:56.880 the the original data or source can be 0:39:56.880,0:39:58.960 manipulated in any way the conversation 0:39:58.960,0:40:01.920 is 100% over and the case will be 0:40:01.920,0:40:04.319 dismissed categorically speaking it's no 0:40:04.319,0:40:07.839 more conversation so this is a humongous 0:40:07.839,0:40:10.440 responsibility when it comes to data 0:40:10.440,0:40:12.920 acquisition what protocols you use what 0:40:12.920,0:40:14.800 the specific tools how do you plan it 0:40:14.800,0:40:17.040 how you document is a very painful 0:40:17.040,0:40:21.319 process in other words okay now data 0:40:21.319,0:40:24.480 recovery we already talk about the 0:40:24.480,0:40:27.400 complexity of finding a needle in a tone 0:40:27.400,0:40:30.440 of s this is super complex okay but it's 0:40:30.440,0:40:34.079 doable the only thing you have to use is 0:40:34.079,0:40:36.000 the appropriate tools and you you need 0:40:36.000,0:40:38.440 to have a specific plan because every 0:40:38.440,0:40:41.960 single case is 100% different digital 0:40:41.960,0:40:44.800 signatures sign the acquire data in 0:40:44.800,0:40:48.400 hatches with a dig digital signature for 0:40:48.400,0:40:50.440 authentication there are multiple cases 0:40:50.440,0:40:53.960 today in which H signatures are not 0:40:53.960,0:40:56.960 accepted anymore in the go government I 0:40:56.960,0:40:58.800 am a Federal Officer for the US 0:40:58.800,0:41:01.920 Department of Commerce in USA in the 0:41:01.920,0:41:04.560 government we are not allowed to sign 0:41:04.560,0:41:07.680 anything by hand for many years back 0:41:07.680,0:41:11.599 many years okay digital signatures have 0:41:11.599,0:41:15.720 a specific component that minimize 0:41:15.720,0:41:18.240 dramatically speaking the possibility of 0:41:18.240,0:41:20.720 replication and this is why this is 0:41:20.720,0:41:23.359 accepted in the court of law 0:41:23.359,0:41:26.000 verification R verifies the Integrity of 0:41:26.000,0:41:29.440 that Qui image by comparing hash values 0:41:29.440,0:41:32.240 with those calculated before the hash 0:41:32.240,0:41:36.280 values must be exact no difference not 0:41:36.280,0:41:39.079 even in one 0:41:39.079,0:41:43.280 0.001 percentage most much 100% 0:41:43.280,0:41:46.520 categorically speaking otherwise the 0:41:46.520,0:41:49.119 court is going to dismiss the case as 0:41:49.119,0:41:52.240 well or the organization probably is not 0:41:52.240,0:41:55.119 going to take the appropriate action vus 0:41:55.119,0:41:59.119 in a particular individual or problem or 0:41:59.119,0:42:03.079 process okay LS and no we already talk 0:42:03.079,0:42:05.560 about documentation at the beginning you 0:42:05.560,0:42:09.280 have to actually make sure that 0:42:09.280,0:42:12.240 everything is timestamped as I mentioned 0:42:12.240,0:42:15.040 before at the beginning digital forensic 0:42:15.040,0:42:18.440 must be collected in a particular order 0:42:18.440,0:42:21.400 analyzed in the similar Manner and 0:42:21.400,0:42:24.599 presented in the report in the specific 0:42:24.599,0:42:28.040 order in which the process was done 0:42:28.040,0:42:31.160 otherwise the process is going to be 0:42:31.160,0:42:33.720 disqualified and this is exclusively at 0:42:33.720,0:42:36.880 this point our own responsibility and 0:42:36.880,0:42:41.520 nobody else okay the storage we already 0:42:41.520,0:42:44.880 know that gain of custody is one of the 0:42:44.880,0:42:46.520 most important component there are 0:42:46.520,0:42:49.160 multiple forms depending of the state in 0:42:49.160,0:42:51.960 which you live and the countries as well 0:42:51.960,0:42:54.680 that you have to follow anything if you 0:42:54.680,0:42:57.559 miss a check mark or if you put a check 0:42:57.559,0:43:00.400 mark on those particular forms you are 0:43:00.400,0:43:04.079 basically dismissing you the case you 0:43:04.079,0:43:06.720 intentionally the court doesn't work in 0:43:06.720,0:43:10.040 the way many of us believe okay we have 0:43:10.040,0:43:12.280 the possibility to put somebody in the 0:43:12.280,0:43:16.359 electric share or to release to provide 0:43:16.359,0:43:18.520 to this particular individual or 0:43:18.520,0:43:21.880 organization what we said is relevant 0:43:21.880,0:43:24.400 okay this is very important the brift 0:43:24.400,0:43:26.119 you always have to be in Comm 0:43:26.119,0:43:29.640 communication with all parties both the 0:43:29.640,0:43:32.359 one presenting the digital process or 0:43:32.359,0:43:35.359 ruling the process and the other part as 0:43:35.359,0:43:39.520 well you cannot hide anything Zero from 0:43:39.520,0:43:41.880 your opponents in the court of law or 0:43:41.880,0:43:44.720 for the defendant part never in your 0:43:44.720,0:43:47.559 life this is why the first bullet in the 0:43:47.559,0:43:50.040 whole presentation was as you may 0:43:50.040,0:43:54.079 remember ethics okay in digital forensic 0:43:54.079,0:43:57.480 we provide what we known to the other 0:43:57.480,0:44:00.440 parties as well even to the defendant to 0:44:00.440,0:44:03.119 the opponents every single time no 0:44:03.119,0:44:06.520 exception and we provide every single 0:44:06.520,0:44:09.559 artifact with the most clear possible 0:44:09.559,0:44:12.480 explanation to the opponents this is how 0:44:12.480,0:44:14.880 the digital forensic process work 0:44:14.880,0:44:17.720 otherwise it will be dismissed as well 0:44:17.720,0:44:20.839 in the court steing you have to make 0:44:20.839,0:44:24.160 sure that every single piece of digital 0:44:24.160,0:44:27.000 evidence is 0:44:27.000,0:44:30.520 properly still then that you follow the 0:44:30.520,0:44:32.720 process by the book again if you Skip 0:44:32.720,0:44:36.640 One Step just one out of 100 or 200s 0:44:36.640,0:44:39.520 depending of the case the case is going 0:44:39.520,0:44:42.720 to be this measure no exceptions the Cod 0:44:42.720,0:44:46.319 goes by the book as you can imagine and 0:44:46.319,0:44:48.000 your opponent is going to be very 0:44:48.000,0:44:50.200 attentive to to the minimum possible 0:44:50.200,0:44:53.839 failure to dismiss the case okay so how 0:44:53.839,0:44:56.200 you transport the data from one place to 0:44:56.200,0:44:59.240 the other place chain of custody this is 0:44:59.240,0:45:02.760 the key component chain of custody data 0:45:02.760,0:45:06.200 encryption you have to make sure that 0:45:06.200,0:45:10.440 you prevent or actually Pro prevent a 0:45:10.440,0:45:13.119 Integrity manipulation and you always 0:45:13.119,0:45:16.319 want to meure the confidentiality of the 0:45:16.319,0:45:19.000 data CIA we already talked about the 0:45:19.000,0:45:21.520 component confidentiality Integrity 0:45:21.520,0:45:23.480 availability from the digital forensic 0:45:23.480,0:45:26.319 standpoint the most important no 0:45:26.319,0:45:29.880 exception is integrity and also the 0:45:29.880,0:45:32.319 confidentiality okay so from the 0:45:32.319,0:45:35.200 recovery image standpoint you always 0:45:35.200,0:45:37.960 want to have a duplicate for validation 0:45:37.960,0:45:40.760 and reanalysis and remember that you 0:45:40.760,0:45:43.559 always want to work with a copy of the 0:45:43.559,0:45:47.920 digital evidence 100% of the time no 9 0:45:47.920,0:45:50.680 you have to preserve the original 0:45:50.680,0:45:52.720 evidence this is part of our 0:45:52.720,0:45:56.480 responsibility and this is why we do bit 0:45:56.480,0:46:00.480 by bit analysis and bit by bit copy it's 0:46:00.480,0:46:04.200 complex okay now a specific step in 0:46:04.200,0:46:06.079 digital forensics to analyze the 0:46:06.079,0:46:08.720 collected data at this point you already 0:46:08.720,0:46:10.880 went through multiple process and spent 0:46:10.880,0:46:14.359 a lot of time how do you analyze the 0:46:14.359,0:46:16.079 data you have because you are going to 0:46:16.079,0:46:19.400 have probably terabytes of data okay 0:46:19.400,0:46:23.680 well you have to make sure that hashing 0:46:23.680,0:46:27.440 and TS digital signatures and the chain 0:46:27.440,0:46:31.480 of custody have been followed data 0:46:31.480,0:46:34.000 priorization what happens and what is 0:46:34.000,0:46:35.880 more relevant you cannot present in the 0:46:35.880,0:46:38.800 court two terabytes of data or 2,000 0:46:38.800,0:46:41.640 Pages this is Irrelevant for the case 0:46:41.640,0:46:44.240 okay you have to make sure that you use 0:46:44.240,0:46:47.240 keywords in order to provide a solid 0:46:47.240,0:46:49.680 report to the court for this particular 0:46:49.680,0:46:52.839 case for the keywords artificial 0:46:52.839,0:46:56.000 intelligence have been proven to me that 0:46:56.000,0:46:59.319 is of huge help file caring you have to 0:46:59.319,0:47:02.119 use a specialized tool to recover files 0:47:02.119,0:47:05.480 that may been deleted or you 0:47:05.480,0:47:08.760 intentionally hiting timeline analysis 0:47:08.760,0:47:11.440 we talk about you have to do everything 0:47:11.440,0:47:13.920 by following a particular sequence of 0:47:13.920,0:47:16.720 activities in other words you have to 0:47:16.720,0:47:18.760 present and do the analysis in 0:47:18.760,0:47:21.280 chronological order in the way that you 0:47:21.280,0:47:23.880 collect the data this is the exact way 0:47:23.880,0:47:26.040 you do the analysis and later you do 0:47:26.040,0:47:28.119 correlation okay but you have to follow 0:47:28.119,0:47:30.760 a particular chronological order data 0:47:30.760,0:47:33.440 recovery you have to do your best to 0:47:33.440,0:47:35.520 reconstruct the data that have been 0:47:35.520,0:47:38.559 deleted or probably damaged even by a 0:47:38.559,0:47:40.880 physical or electronic condition in the 0:47:40.880,0:47:43.680 storage media the metadata analysis is 0:47:43.680,0:47:46.240 also complex okay this is the next 0:47:46.240,0:47:49.240 component after the time the timeline 0:47:49.240,0:47:52.040 analysis metadata includes multiple kind 0:47:52.040,0:47:54.880 of data so this part of the analysis is 0:47:54.880,0:47:57.359 going to be complete colle and more time 0:47:57.359,0:47:59.520 consuming than the data collection and 0:47:59.520,0:48:02.319 the data collection is already very time 0:48:02.319,0:48:04.760 consuming content analysis you have to 0:48:04.760,0:48:06.280 be very careful because this is 0:48:06.280,0:48:08.960 basically what the forensic analysis is 0:48:08.960,0:48:12.240 going to be parent recognition how you 0:48:12.240,0:48:15.800 can match one bit of data with another 0:48:15.800,0:48:19.040 bit okay is there any association 0:48:19.040,0:48:23.359 between bits between bites between data 0:48:23.359,0:48:26.640 between words this is a iCal 0:48:26.640,0:48:29.400 component communication analysis again 0:48:29.400,0:48:31.319 you want to make sure that you include 0:48:31.319,0:48:34.680 everything emails today are probably the 0:48:34.680,0:48:37.760 most relevant component of digital 0:48:37.760,0:48:39.800 forening analysis you wants to make sure 0:48:39.800,0:48:42.839 that you master email analysis as well 0:48:42.839,0:48:45.640 data encryption you always have to keep 0:48:45.640,0:48:48.079 in mind the confidentiality and when we 0:48:48.079,0:48:50.520 are talking about the recovery or the 0:48:50.520,0:48:53.160 recovery image I mentioned that as well 0:48:53.160,0:48:56.040 similar to the chain of custody before 0:48:56.040,0:48:58.160 because you always have to pres the 0:48:58.160,0:49:01.240 digital the original data evidence 0:49:01.240,0:49:03.000 examination you want to make sure that 0:49:03.000,0:49:06.000 you verify the Integrity of the data you 0:49:06.000,0:49:08.799 have been acquiring including hash value 0:49:08.799,0:49:11.440 digital signature and the chain of 0:49:11.440,0:49:14.119 custodies we talk about this already 0:49:14.119,0:49:16.880 this is a repeat of the slide by the way 0:49:16.880,0:49:20.480 okay so database examination and you 0:49:20.480,0:49:23.760 foring a duplicate slide so this slide 0:49:23.760,0:49:27.680 is the same to this okay so my apology 0:49:27.680,0:49:30.680 for that it's my fault data database 0:49:30.680,0:49:33.000 examination investigate databases for 0:49:33.000,0:49:35.480 valueable valuable information including 0:49:35.480,0:49:38.760 structure data and locks entries Etc 0:49:38.760,0:49:41.240 media analysis this is a very complex 0:49:41.240,0:49:43.960 process because it's usually about atigo 0:49:43.960,0:49:47.200 or include testigo and this is about 0:49:47.200,0:49:50.040 image videos audios geolocation in 0:49:50.040,0:49:52.319 digital signatures Network traffic 0:49:52.319,0:49:56.359 analysis tools as why the Shar h but my 0:49:56.359,0:49:59.160 suggestion is that you use all the tools 0:49:59.160,0:50:02.119 that are part of the artificial 0:50:02.119,0:50:04.720 intelligence applications we can use 0:50:04.720,0:50:06.839 today and are available in the 0:50:06.839,0:50:10.520 market estigo is always complex okay 0:50:10.520,0:50:14.079 because stigo include not only image but 0:50:14.079,0:50:16.880 in many cases audio as well and this is 0:50:16.880,0:50:19.720 very complex time consuming you always 0:50:19.720,0:50:22.359 wants to make sure that you use the 0:50:22.359,0:50:24.359 appropriate estigo analysis techniques 0:50:24.359,0:50:27.160 and that are multiple specific for 0:50:27.160,0:50:29.960 volatile analysis as I mentioned before 0:50:29.960,0:50:33.440 there is multiple ways to do 0:50:33.440,0:50:37.599 data acquisition from RAM memory when we 0:50:37.599,0:50:41.240 turn off the computer all the data from 0:50:41.240,0:50:44.200 Ram doesn't goes off this is what 0:50:44.200,0:50:47.319 everybody said this is what Google said 0:50:47.319,0:50:48.960 this is what people that never do 0:50:48.960,0:50:51.920 forensic investigation repeat this is 0:50:51.920,0:50:54.920 not appropriate if you know how to do it 0:50:54.920,0:50:57.480 and again I make the presentation for e 0:50:57.480,0:51:00.440 councel in 2019 if you Google my name in 0:51:00.440,0:51:02.640 this presentation you will be able to 0:51:02.640,0:51:05.880 find a particular video in which I was 0:51:05.880,0:51:08.359 able to recover data from RAM memory 0:51:08.359,0:51:12.119 after the computer was took down took 0:51:12.119,0:51:15.000 down believe it or not go for the other 0:51:15.000,0:51:16.839 presentation that this is DC councel 0:51:16.839,0:51:19.079 database and you will be able to see the 0:51:19.079,0:51:21.640 video okay comparison you have to do 0:51:21.640,0:51:24.359 cross reference every single time to 0:51:24.359,0:51:27.040 make sure that the data you identify is 0:51:27.040,0:51:30.359 appropriate and you always identify 0:51:30.359,0:51:32.760 identity deviations and 0:51:32.760,0:51:35.240 inconsistency before you do the final 0:51:35.240,0:51:38.079 report I told you already when you 0:51:38.079,0:51:40.839 present the report in the court of law 0:51:40.839,0:51:44.359 and minimum mistake something minimum 0:51:44.359,0:51:46.839 will be disqualified in the case for 0:51:46.839,0:51:49.599 example in this presentation I include 0:51:49.599,0:51:53.480 IED by mistake this slide and this slide 0:51:53.480,0:51:56.000 if I do that in the in the court of flow 0:51:56.000,0:51:56.960 is 0:51:56.960,0:52:00.040 dismiss okay that's it it's no more 0:52:00.040,0:52:02.400 conversation the emotion analysis we 0:52:02.400,0:52:04.680 have talk about that we are talking 0:52:04.680,0:52:07.839 about persons digital evidence is always 0:52:07.839,0:52:11.920 related to people in process processes 0:52:11.920,0:52:14.839 applications Hardware software so we 0:52:14.839,0:52:17.920 want to make sure that what we present 0:52:17.920,0:52:20.160 is accurate and from the documentation 0:52:20.160,0:52:22.720 at some point it was the second point in 0:52:22.720,0:52:25.400 the presentation we have to document 0:52:25.400,0:52:28.240 everything reporting is about compiling 0:52:28.240,0:52:31.559 in a clear and comprehensive manner 0:52:31.559,0:52:33.720 including summaries methodologist and 0:52:33.720,0:52:35.880 supporting evidence you have to include 0:52:35.880,0:52:39.000 or at least in my case I always include 0:52:39.000,0:52:41.960 the recordings of everything I do 0:52:41.960,0:52:43.960 everything means even if I open my 0:52:43.960,0:52:46.280 personal email or if a notification come 0:52:46.280,0:52:48.799 to my computer and I open something in 0:52:48.799,0:52:52.640 my my in my WhatsApp for example this is 0:52:52.640,0:52:55.760 part of the recording as well okay so 0:52:55.760,0:52:58.359 you have to make sure that you provide 0:52:58.359,0:53:00.920 an expert testimony in order to do that 0:53:00.920,0:53:02.359 you have to be an expert in digital 0:53:02.359,0:53:06.000 currency Feer review consult with other 0:53:06.000,0:53:08.280 with your partners with the opponent 0:53:08.280,0:53:10.680 with the defendant part before you 0:53:10.680,0:53:12.240 present it's not that you are going to 0:53:12.240,0:53:14.799 modify to report because the defendant 0:53:14.799,0:53:16.640 doesn't like it this is not what I'm 0:53:16.640,0:53:18.920 telling you it's just that you are going 0:53:18.920,0:53:21.359 to provide the report and by the way you 0:53:21.359,0:53:24.119 must provide the report to the defendant 0:53:24.119,0:53:26.720 before you go to the Court by the time 0:53:26.720,0:53:28.480 you stand up in the court everything 0:53:28.480,0:53:30.240 needs to be done the other part need to 0:53:30.240,0:53:32.680 know exactly what you are going to 0:53:32.680,0:53:35.280 present this is how the legal systems 0:53:35.280,0:53:38.280 work okay with deceptions of very few 0:53:38.280,0:53:41.000 countries but in the world this is how 0:53:41.000,0:53:44.400 it work so the quality assurance is just 0:53:44.400,0:53:46.240 making sure that what you present is 0:53:46.240,0:53:49.480 appropriate the case management is how 0:53:49.480,0:53:51.400 you use the digital forensic and manage 0:53:51.400,0:53:53.680 system to track everything in analysis 0:53:53.680,0:53:56.440 process and from the data privacy 0:53:56.440,0:53:58.559 compliance I told you already every 0:53:58.559,0:54:00.440 single place every single City every 0:54:00.440,0:54:02.559 single state operate under different 0:54:02.559,0:54:04.920 conditions popular tool for digital 0:54:04.920,0:54:08.680 forensic few of those in Cas 0:54:08.680,0:54:11.720 autopsy Access Data everybody know how 0:54:11.720,0:54:14.559 is a forensic tool kit hway forensic 0:54:14.559,0:54:17.960 celebrity vola volatility wi sh 0:54:17.960,0:54:20.520 everybody most likely know oxygen 0:54:20.520,0:54:22.839 forensic detective and the digital 0:54:22.839,0:54:25.319 evidence and forensic tool kit so some 0:54:25.319,0:54:28.160 of those are included in Cali others do 0:54:28.160,0:54:31.359 not some are open source others are 0:54:31.359,0:54:34.119 extremely expensive for example in case 0:54:34.119,0:54:37.280 which is very very expensive some 0:54:37.280,0:54:39.280 relevant reference about digital 0:54:39.280,0:54:43.000 forensic I prefer to use keywords and 0:54:43.000,0:54:45.599 not particular reference or books 0:54:45.599,0:54:49.000 because I don't recommend any specific 0:54:49.000,0:54:51.960 book instead the combination of content 0:54:51.960,0:54:54.160 and knowledge and expertise but some 0:54:54.160,0:54:56.480 words or key words you can use if you 0:54:56.480,0:54:58.960 want to expand more in digital forensic 0:54:58.960,0:55:02.079 are digital forensic best practice 0:55:02.079,0:55:04.839 challenge iMobile digital forensic 0:55:04.839,0:55:07.000 Network forensic techniques Cloud 0:55:07.000,0:55:09.559 forensic investigations Internet of 0:55:09.559,0:55:12.839 Things forensic memory forensic analysis 0:55:12.839,0:55:14.799 because you want to stop repeating what 0:55:14.799,0:55:17.119 you have been learning for years when 0:55:17.119,0:55:19.160 you took down the computer with the 0:55:19.160,0:55:21.240 computer is turn it 0:55:21.240,0:55:24.119 off and there is a lot of data that 0:55:24.119,0:55:26.760 remains in r memory for a particular 0:55:26.760,0:55:30.520 amount of time of course okay so try to 0:55:30.520,0:55:32.880 expand on this topic malware analysis in 0:55:32.880,0:55:35.440 digital forensic and cyber security and 0:55:35.440,0:55:37.839 digital forensic Trends those are 0:55:37.839,0:55:41.240 keywords that will be facilitating your 0:55:41.240,0:55:44.280 expansion or you expanding on digital 0:55:44.280,0:55:48.240 forensic knowledge other 0:55:48.240,0:55:50.880 considerations are some particular 0:55:50.880,0:55:54.240 journals okay I in this case I'm going 0:55:54.240,0:55:56.799 to risk and recommend the digital 0:55:56.799,0:55:59.720 investigation that is published by xier 0:55:59.720,0:56:02.480 is one of the top in the world the other 0:56:02.480,0:56:04.599 one is the Journal of digital forensic 0:56:04.599,0:56:07.559 security and law and forensic science 0:56:07.559,0:56:12.160 International digital investigation 0:56:12.839,0:56:15.520 report I'm open to any question you may 0:56:15.520,0:56:19.319 have and one more time I want before I 0:56:19.319,0:56:22.440 close my lips I want to sincerely thank 0:56:22.440,0:56:25.160 you EC Council for another opportunity 0:56:25.160,0:56:27.760 to talk about this fascinating topic 0:56:27.760,0:56:29.880 thank you very much for all the staff in 0:56:29.880,0:56:34.079 the e Council that work tily who made 0:56:34.079,0:56:37.079 this presentation a possibility and 0:56:37.079,0:56:39.000 thank you so much as well for you guys 0:56:39.000,0:56:41.160 attending the conf the conference and 0:56:41.160,0:56:44.440 for the questions that you may 0:56:44.880,0:56:47.559 ask thank you very much Dr Lewis for 0:56:47.559,0:56:49.200 such an insightful and informative 0:56:49.200,0:56:50.760 session that was really a very 0:56:50.760,0:56:52.880 interesting webinar and we hope it was 0:56:52.880,0:56:55.480 worth your time too now now before we 0:56:55.480,0:56:57.280 begin with the Q&A I would like to 0:56:57.280,0:56:59.680 inform all the attendees that EC 0:56:59.680,0:57:03.119 council's CH maps to the forensic 0:57:03.119,0:57:05.319 investigator and the consultant digital 0:57:05.319,0:57:07.760 forensics anyone with the chfi 0:57:07.760,0:57:10.079 certification is eligible for 4,000 plus 0:57:10.079,0:57:12.200 job vacancies globally with an average 0:57:12.200,0:57:13.240 salary of 0:57:13.240,0:57:15.319 $95,000 if you're interested to learn 0:57:15.319,0:57:17.079 more andly take part in the poll that's 0:57:17.079,0:57:18.839 going to be conducted now let us know 0:57:18.839,0:57:20.240 your preferred mode of training and we 0:57:20.240,0:57:23.039 will reach out to you 0:57:23.799,0:57:26.599 soon 0:57:26.599,0:57:29.440 uh Dr L shall we start with the 0:57:29.440,0:57:32.119 Q&A yes I'm ready 0:57:32.119,0:57:35.319 for okay our first question is how to 0:57:35.319,0:57:38.640 prove in court of law that the collected 0:57:38.640,0:57:40.839 evidence is from the same object and not 0:57:40.839,0:57:43.160 collected from any other 0:57:43.160,0:57:46.400 object this is a very important question 0:57:46.400,0:57:48.720 I really appreciate the clarification on 0:57:48.720,0:57:51.640 this topic as I said we have to be very 0:57:51.640,0:57:53.520 careful about the way we collect the 0:57:53.520,0:57:56.400 data when we are talking about objects 0:57:56.400,0:57:59.760 objects are associated to bits not to 0:57:59.760,0:58:02.359 bikes only but Bits And as I mention 0:58:02.359,0:58:05.760 multiple times when we do the copy of 0:58:05.760,0:58:08.680 the original data we want to make sure 0:58:08.680,0:58:11.960 that we always do bit by bit when you do 0:58:11.960,0:58:16.640 bit by bit and not B by B because a bit 0:58:16.640,0:58:21.599 implies up to 3.4 volts in electricity 0:58:21.599,0:58:24.119 we are eliminating the possibility of 0:58:24.119,0:58:27.839 mistake objects are bigger a bit do not 0:58:27.839,0:58:31.039 constitute an object objects are formed 0:58:31.039,0:58:34.200 by multiple bits this is why we have to 0:58:34.200,0:58:37.039 do the analysis bit by bit and I 0:58:37.039,0:58:40.240 mentioned that multiple 0:58:42.079,0:58:44.200 times thank you for answering that 0:58:44.200,0:58:46.520 question our next question is what kind 0:58:46.520,0:58:48.839 of forensic data can we obtain from the 0:58:48.839,0:58:51.039 encrypted data where the key is not 0:58:51.039,0:58:53.720 available to decrypt the 0:58:53.720,0:58:58.280 data could you please repeat the 0:58:58.520,0:59:01.520 question what kind of forensic data can 0:59:01.520,0:59:04.079 be obtained from the encrypted data 0:59:04.079,0:59:05.880 where the key is not available to 0:59:05.880,0:59:08.599 decrypt the 0:59:09.319,0:59:13.039 data you encryp 0:59:13.039,0:59:16.119 data uh I'll just P the question to you 0:59:16.119,0:59:19.599 on chat uh Dr 0:59:19.599,0:59:23.200 Ls I'm not watching the chat right now 0:59:23.200,0:59:26.640 something happened 0:59:28.319,0:59:30.359 I'm not watching the 0:59:30.359,0:59:34.680 shat sorry H long hello hello hello can 0:59:34.680,0:59:35.960 you hear 0:59:35.960,0:59:39.960 me yes I can hear you yes I have posted 0:59:39.960,0:59:43.440 the question on the chat Dr leis okay 0:59:43.440,0:59:47.480 okay please yes I have already pasted 0:59:47.480,0:59:50.599 okay let me check 0:59:53.640,0:59:56.400 here 0:59:56.400,0:59:59.680 okay give me a second okay what kind of 0:59:59.680,1:00:01.400 forensic data can be obtained from 1:00:01.400,1:00:04.799 encrypted data oh okay okay well this is 1:00:04.799,1:00:07.240 another misperception okay everybody 1:00:07.240,1:00:09.799 knows that when the data is encrypted we 1:00:09.799,1:00:12.640 cannot open the data or the particular 1:00:12.640,1:00:16.079 file document video any kind of Digital 1:00:16.079,1:00:18.520 forening Data let me tell you something 1:00:18.520,1:00:21.000 there are multiple forensic tools that 1:00:21.000,1:00:23.599 have the ability to decrypt the data 1:00:23.599,1:00:26.079 even when we don't have the key this and 1:00:26.079,1:00:28.640 I understand the key component and I 1:00:28.640,1:00:30.039 understand that the two type of 1:00:30.039,1:00:32.599 encryptions symmetric and asymmetric and 1:00:32.599,1:00:34.760 as I said I have multiple Publications 1:00:34.760,1:00:35.960 about 1:00:35.960,1:00:40.160 encryption ER but there is most likely 1:00:40.160,1:00:43.839 always the possibility to encrypt data 1:00:43.839,1:00:47.480 without having the encryption key I 1:00:47.480,1:00:49.559 understand that it doesn't sounds 1:00:49.559,1:00:52.280 popular it's not what we hear every 1:00:52.280,1:00:55.160 single time but when we spend specialize 1:00:55.160,1:00:58.520 on digital forensic we have usually the 1:00:58.520,1:01:01.839 tools we need to decrypt the data 1:01:01.839,1:01:04.319 especially if you are using artificial 1:01:04.319,1:01:07.400 intelligence also in the government at 1:01:07.400,1:01:09.280 least in the US government in my 1:01:09.280,1:01:12.160 operation in the operation I direct I 1:01:12.160,1:01:14.640 handle I supervise we are using 1:01:14.640,1:01:16.480 artificial intelligence for multiple 1:01:16.480,1:01:19.599 things in cyber security since 1:01:19.599,1:01:22.319 2017 and we are also using Quantum 1:01:22.319,1:01:24.760 Computing Quantum Computing is not not 1:01:24.760,1:01:28.839 coming quantum computer is in use in the 1:01:28.839,1:01:31.559 US government for years now so we are 1:01:31.559,1:01:34.520 using Quantum Computing for years there 1:01:34.520,1:01:37.319 are multiple ways to decrypt the data 1:01:37.319,1:01:40.640 when the encryption key is not available 1:01:40.640,1:01:42.720 multiple ways multiple applications as 1:01:42.720,1:01:45.319 well that help with the process it's 1:01:45.319,1:01:47.799 very time consuming but there is a 1:01:47.799,1:01:50.760 possibility for that and this is a great 1:01:50.760,1:01:53.240 question because the question is okay 1:01:53.240,1:01:55.559 how about the hard drive is encrypted 1:01:55.559,1:01:57.760 there is nothing that I can do right no 1:01:57.760,1:02:00.000 this is not like that there is always 1:02:00.000,1:02:02.480 ways to decrypt the data always it 1:02:02.480,1:02:04.920 doesn't matter how strong the encryption 1:02:04.920,1:02:06.960 is but you need to have the appropriate 1:02:06.960,1:02:09.640 tools of place for example I'm going to 1:02:09.640,1:02:13.319 mention just one in case when I present 1:02:13.319,1:02:17.319 this some tools that I suggest before I 1:02:17.319,1:02:20.839 said that in case is very expensive in 1:02:20.839,1:02:24.079 case do magic between quotation man in 1:02:24.079,1:02:26.240 case do multiple things that we don't 1:02:26.240,1:02:28.799 learn in the school 1:02:28.799,1:02:31.760 okay so I can see the other question 1:02:31.760,1:02:33.839 here how to adapt to investigation in 1:02:33.839,1:02:35.880 the cloud since the clouds provided do 1:02:35.880,1:02:38.160 not allow most of important operation to 1:02:38.160,1:02:41.520 access media when you have to do a case 1:02:41.520,1:02:45.400 or conduct digital forensic in the cloud 1:02:45.400,1:02:48.799 the cloud providers 99% of the time I 1:02:48.799,1:02:50.520 don't want to say 100 because I don't 1:02:50.520,1:02:52.960 want to risk on that but usually the 1:02:52.960,1:02:56.480 cloud providers include in the SLA in 1:02:56.480,1:02:58.520 the service level agreement what is 1:02:58.520,1:03:01.599 going to happen if a digital forensic or 1:03:01.599,1:03:04.160 any kind of Investigation needs to do 1:03:04.160,1:03:08.079 needs to be performed in the cloud space 1:03:08.079,1:03:11.079 so most likely the cloud operator is 1:03:11.079,1:03:13.599 going to facilitate access to everything 1:03:13.599,1:03:16.359 you need sometime you have to move and 1:03:16.359,1:03:19.319 go physically to the place in which the 1:03:19.319,1:03:20.960 data is 1:03:20.960,1:03:23.480 host don't believe that the cloud 1:03:23.480,1:03:25.640 provider doesn't know where the data is 1:03:25.640,1:03:28.920 host we know where the data is host 1:03:28.920,1:03:31.400 specifically I have been in San Diego 1:03:31.400,1:03:34.119 California and another States in Hawaii 1:03:34.119,1:03:35.799 back in 1:03:35.799,1:03:38.440 2019 as well doing forensic 1:03:38.440,1:03:40.839 investigation in a cloud environment it 1:03:40.839,1:03:43.079 was actually for something government 1:03:43.079,1:03:46.480 related and I was given the permission I 1:03:46.480,1:03:49.279 need to do any kind of Investigation so 1:03:49.279,1:03:52.000 Cloud providers facilitate forensic 1:03:52.000,1:03:54.640 analysis because forensic analysis are 1:03:54.640,1:03:58.079 usually related to legal cases there are 1:03:58.079,1:04:01.039 multiple cases in which in USA we don't 1:04:01.039,1:04:02.760 have access to this data and I'm going 1:04:02.760,1:04:06.599 to mention an example Tik Tok Tik Tok 1:04:06.599,1:04:08.640 the problem between the US government 1:04:08.640,1:04:11.839 and Tik Tok is that when Tik Tok get the 1:04:11.839,1:04:14.839 authorization to operate in USA the 1:04:14.839,1:04:18.559 government was one step behind behind 1:04:18.559,1:04:21.079 Okay and we don't regulate Tik Tok at 1:04:21.079,1:04:25.200 this point Tik Tok has the ability to 1:04:25.200,1:04:28.279 prevent forensic investigation in the 1:04:28.279,1:04:31.400 Tik Tok platforms for the US government 1:04:31.400,1:04:34.599 cour system or legal system okay but 1:04:34.599,1:04:37.680 again usually Cloud providers facilitate 1:04:37.680,1:04:40.760 investigation in the cloud 100% they 1:04:40.760,1:04:43.240 cooperate in every single manage they 1:04:43.240,1:04:48.000 have to facilitate the forensic 1:04:49.799,1:04:51.720 investigation thank you for answering 1:04:51.720,1:04:53.880 that question uh we'll take last 1:04:53.880,1:04:56.839 question for the day uh what is the best 1:04:56.839,1:05:00.279 open source free tools for social media 1:05:00.279,1:05:03.559 forensics there is no best open source 1:05:03.559,1:05:05.640 tool that is a combination of tools 1:05:05.640,1:05:08.559 number one digital forensic cannot be 1:05:08.559,1:05:10.640 performed categorically speaking with 1:05:10.640,1:05:14.520 one or two tools this is a complex time 1:05:14.520,1:05:18.240 consuming and expensive process I made 1:05:18.240,1:05:21.160 some suggestions it's included in the 1:05:21.160,1:05:26.079 slide ER let me see a slide 1:05:27.319,1:05:29.400 slide 1:05:29.400,1:05:31.000 number 1:05:31.000,1:05:34.119 16 okay this is the slide in which I 1:05:34.119,1:05:37.400 include in case autopsy the S some of 1:05:37.400,1:05:40.520 them are upper cases as I I'm sorry open 1:05:40.520,1:05:43.359 source as I mentioned before but there 1:05:43.359,1:05:46.039 is not a particular tool or two or three 1:05:46.039,1:05:48.119 tools that I will recommend because in 1:05:48.119,1:05:52.319 top of that every single forensic 1:05:52.319,1:05:54.640 investigation is about the different 1:05:54.640,1:05:57.440 process you cannot use the similar tools 1:05:57.440,1:06:00.720 this is why there are very at least in 1:06:00.720,1:06:04.400 USA very small amount of organizations 1:06:04.400,1:06:07.039 companies that specialize in digital 1:06:07.039,1:06:10.440 forensic as my company does the reason 1:06:10.440,1:06:13.520 why is because between many other things 1:06:13.520,1:06:15.920 lack of expertise and 1:06:15.920,1:06:19.240 expenses okay so I do not recommend a 1:06:19.240,1:06:21.799 particular tool instead the combination 1:06:21.799,1:06:24.440 of tools there are multiple open source 1:06:24.440,1:06:27.799 I mention a few in a slide number 16 of 1:06:27.799,1:06:30.760 my PowerPoint presentation but again 1:06:30.760,1:06:33.279 those are not sufficient those are the 1:06:33.279,1:06:35.559 most popular and 1:06:35.559,1:06:39.480 strong ER more accurate uh tools that 1:06:39.480,1:06:41.760 you can use for digital forensic but a 1:06:41.760,1:06:43.680 particular tool one or two to do 1:06:43.680,1:06:47.160 forensic investigation it doesn't exist 1:06:47.160,1:06:49.839 is impossible 1:06:51.720,1:06:54.039 doesn't thank you again to our wonderful 1:06:54.039,1:06:56.000 speaker Dr Lewis for answering those 1:06:56.000,1:06:57.960 questions and for the great presentation 1:06:57.960,1:06:59.720 and knowledge shared with our Global 1:06:59.720,1:07:01.720 audiences it was a pleasure to have you 1:07:01.720,1:07:03.559 with us and we are looking for more and 1:07:03.559,1:07:05.200 more sessions with you before we 1:07:05.200,1:07:06.880 conclude the webinar Dr LS would you 1:07:06.880,1:07:08.240 like to give a small message to our 1:07:08.240,1:07:10.680 audiences 1:07:10.680,1:07:14.160 please well no just want to thanks 1:07:14.160,1:07:16.760 everybody again the one that work 1:07:16.760,1:07:21.160 tiously behind the presentation to you 1:07:21.160,1:07:23.559 in e Council as always thank you very 1:07:23.559,1:07:25.440 much for the support for all the 1:07:25.440,1:07:28.000 attendees I hope you learn something new 1:07:28.000,1:07:31.559 let me clarify that every single content 1:07:31.559,1:07:34.160 wording words Etc that I have been 1:07:34.160,1:07:36.559 presenting for you is my original 1:07:36.559,1:07:39.119 creation 100% not 1:07:39.119,1:07:42.920 99.99 but 100% categorically speaking 1:07:42.920,1:07:44.960 and I put together those notes and 1:07:44.960,1:07:47.960 reflection for you guys with the hope 1:07:47.960,1:07:49.440 that you can come back to your 1:07:49.440,1:07:52.359 organization and ser better that you can 1:07:52.359,1:07:54.760 become a public servant 1:07:54.760,1:07:57.119 ER and go to the court and testify in 1:07:57.119,1:08:00.799 favor of the park that deserve your 1:08:00.799,1:08:03.599 benefits and I sincerely thank you for 1:08:03.599,1:08:05.599 the opportunity to share my expertise 1:08:05.599,1:08:08.640 with you guys have a nice weekend okay 1:08:08.640,1:08:10.200 thank you very much for the time in 1:08:10.200,1:08:13.160 question thank you so 1:08:14.279,1:08:16.920 much thank you so much Dr Louis for your 1:08:16.920,1:08:19.120 message before we end the session I 1:08:19.120,1:08:20.479 would like to announce the next cyber 1:08:20.479,1:08:23.040 talk session why are strong foundational 1:08:23.040,1:08:24.759 cyber securities skills essential for 1:08:24.759,1:08:26.960 every IT professional which is scheduled 1:08:26.960,1:08:29.279 on November 8 2023 this session is an 1:08:29.279,1:08:31.439 export presentation by Roger Smith 1:08:31.439,1:08:34.279 director car Managed IT industry fellow 1:08:34.279,1:08:36.719 at Australian Defense Force Academy to 1:08:36.719,1:08:38.359 register for this session please do go 1:08:38.359,1:08:40.399 visit our website 1:08:40.399,1:08:43.439 www.ccu.edu cybert talks the link is 1:08:43.439,1:08:45.279 given in the chat section hope to see 1:08:45.279,1:08:48.000 you all on November 8th with this VN the 1:08:48.000,1:08:49.880 session with this you may disconnect 1:08:49.880,1:08:52.080 your lines thank you thank you so much 1:08:52.080,1:08:55.238 Dr leis pleasure having you 1:08:55.238,1:08:57.319 likewise thank you very much for the 1:08:57.319,1:09:01.920 opportunity thank you have a good day