Hello everyone, and welcome to today's session digital forensics, best practices from data acquisition to analysis. I'm Shilpago Swami and I'll be your host for the day. Before we get started, we would like to go over a few house rules for our attendees. The session will be in listen only mode and will last for an hour, out of which the last 15 minutes will be dedicated to Q&A. If you have any questions during the webinar to our organizers or our speakers, use the Q&A window also if you face any audio, video challenges, please check your internet connections or you may log out and log in again. An important announcement for our audiences, we have initiated CPE credit certificates for our participants, and to qualify for one attendees are required to attend the entire webinar and then send an email to cyber talks at e council.org, after which our team will issue the CPE certificate. Also, we would like to announce our audiences about the special handouts take the screenshot of the running webinar, and post in your social media LinkedIn or Twitter tagging EC counil and #cybertalks, we will share free handouts to first 15 audiences as a commitment to closing the cyber security Workforce Gap by creating multi-domain cyber technicians e-Council pledges, $3.5 million dollar towards, CCT education and certification scholarship to certify approximately 10,000 cyber professionals ready to contribute to the industry. Did you know that you can be part of the lucrative cyber security industry, even top companies like Google, Microsoft, Amazon, IBM, Facebook, and Dell all hire cyber security professionals, the cyber security industry has a 0% unemployment rate. The, the average salary for an entry-level cyber security job is about $100,000 per year in the United States. Furthermore, you don't need to know coding and learn from your home and you get a scholarship to Kickstart your career apply. Now, EC council is pledging a 3.5 million CCT scholarship for cyber security career starters, scan the QR code on the screen to apply for the scholarship. Fill out the form. Now about our speaker Dr. Lewis. Dr. Lewis Noguerol is the information system security officer for the US Department of Commerce, no OAA, where he oversees a cyber security operation for six states in the Southeast region. Dr. Lewis is also the president, and CEO of the advanced division of informatics and Technology Inc. A company that focuses on data recovery digital for forensics and penetration. He is a world renowned expert in data recovery digital forensics and penetration testing. He holds multiple globally recognized information technology and cyber security certifications and accredition, and is the recipient of multiple awards in technology cyber security and mathematics. He currently serves prono as an editorial board member reviewer of American Journal of Information science and technology, and is a member of the prestigious high edging professor for undergraduate, and graduate programs at multiple universities in the US. And as a reviewer for the doctoral program at the University of Karachi in Pakistan, he is the author of multiple cyber security publication and articles including cyber security issues in blockchain challenges and possible solution. And he is one of the co-authors and reviewers of the worldwide acclaimed book intrusion detection guide prior to obtaining his doctoral degree in information systems and Technologies from the University of Phoenix. Dr. Lewis earned a bachelor's in sciences and radio technical and electronic engineering bachelor in science in telecommunications, and networking and a master in science in mathematics and computer sciences. Without any further delay, I would hand over the session to you, Dr. Lewis. Thank you very much. Thanks. Okay. Good morning, everybody. Good afternoon. Good night depending of the specific area in which you decide, we are going to have an interesting conversation today about digital forensic best practice from data acquisition to analysis. This is the title of the presentation of the subject, and I'm more than happy to be here with you guys and sharing some of my expertise. So let's go and start the conference. Okay, she already mentioned some of my credentials. I have been working in cyber security at this point for over 41 years. This is on my DNA a topic that I really like and respect in love as I cannot talk about any other topic in my life before we go I have here a segment that I put together for you okay digital forensic best practice well consideration number one just to break off the eyes is that in the Lain of cyber space where shs dance through ened passage and data Whispers it Secrets the digital detective emerg This Is Us the digital forensic expert clat in lines of code and armed with algorithms they seek to youing Treasures of through and solving anyma cyber crimes with a visual magnifying glass this is what we do they desect or we desect the digital tapestry prevailing the footprints of elusive cyber cul this is what cyber forensic or digital forensic is about is stroke and pixel holds a clue something that we can use in our favor and in this mesmerizing worlds of the digital era one and zeros the app of digital forensic you Falls youling the secret of the digital real so forensic is about finding evidence that can lead to a particular process it can be a legal process it can be any other kind of process but what is digital forensic from my point of view well I mention I guess already that I'm working in cyber security for 41 years my specializations are in penetration testing data recovery and digital currency have been working for the police department at multiple places doing digital forensic for l so I try to put the easy definition for you from my standpoint about what digital forensic is digital forensic investigate digital devices and electronic data to un cover evidence please note that I don't say electronic information I use the word data intentionally understand digital events and TR illicit activities this is a key component of digital forensic normally speaking digital forensic happens of course after the facts and the idea of digital forensic is identifying phes okay that lead to a particular data that we can convey together and make a conclusion it involves the systematic collection preservation analysis and presentation of digital evidence IL legal proceedings and this is a key today because we are technology defend then and there are multiple States at least in USA in some other countries in which digital forensic is still in a limbo because it's not accepted in the court of law okay so this is very important to keep in mind what are we going to do from the digital forensic standpoint the data collection process and the analysis digital forensic experts use specialized techniques and tools to find out data from computers smartphones networks and digital storage media to support investigations and resolve legal matter so this is basically what the digital forensic is about let's go and start with the technical part which is the topic I like more okay let's go and talk about those 30 best practices that I'm putting together for you at the end of the presentation you will be having the opportunity to ask as many questions as you like no number one you have to follow the legal and ethical standards for this particular first one I am not going to make any comment I believe that ethics is a component is a key component of cyber security expert do we always have to follow the rules we always must follow the legal procedures in the places in which we operate because every single place is different component number two resar the original evidence this is a key okay you always have to maintain the Integrity of the original evidence to ensure it is admissible in court any kind of manipulation any kind of modification is going to end in disqualification from the court system document everything this is something that technical people like me doesn't like to much but when when it comes to digital currency we have to document every every single step we do we have to do video recording of all the steps we follow and we we want to make sure that everything is documented and recorded in the specific chronological order this is a key component as well for the digital forensic or investigation to be accepted in the law in the code of law secur the ass ensure that physical and digital crime Maes are secured to prevent contamination or if you present anything in the court and the opposite part have the ability to prove that something was not preserved the conversation is over chain of custody and I'm going to repeat that more than once during the presentation I'm sorry chain of custody is how you establish and maintain the evidence and the process that facilitate how the track of the track tring process is handled use right blocking tools this is another key component of digital forensic it means that you have to use the the appropriate hardware and software that allows for right blockers when you are collecting data to prevent alteration there are a set of tools you can use and at the end of the presentation I'm going to provide you with the set of tools a specific set of tools you can use as a a right blocking tools verifies hashing or hash values is how you calculate and compare hash values to confirm data Integrity there is a confusion about integrity confidentiality and availability in digital forensic the most important component is integrity it means that we have to do every single effort to make sure that the data is not modified in any possible ways from the time we arrive to the to the time that we present the evidence in the Cod and after that as well so the other component is collect volatile data s okay it it make obviously perfect sense so you have to prioritize this type of data collection as it can be lost or modified when the syst is powered down for many of you what I'm going to tell you probably is going to sound not appropriate and this is the following assessment we have the perception we have been told from the time that we arrived to the school and even at work that information or data data no information data in R memory Random Access Memory disappear when the computer is shooting down back ER in 2019 I make a presentation similar to this one for this Council as well in which I prove that the data in R memory can be recover okay so what we have been learning in multiple places what you can easily find in Google that data in Ram is lost when the computer when the computers are powered down is not exactly correct the other component is forensic Imaging you have to create forensic image of a storage devices to work with copies and always have to preser the original evidence this is a requirement in the court of law you must pres the original evidence every single time the other component is the data recovery data recovery is very close Associated to digital forensic for obvious reason okay and you have to employ a specialize tools to recover deleted or hidden data this is also H something to keep in mind and at the end I'm going to provide some specific applications you can use to do data recover timeline analysis you have to construct and analyze timelines to understand the sequence of event what happen first the chronological order is a mandatory requirement in the court of law you cannot provide evidence in the court of law in a random manner you have to follow the specific chronological order the other consideration is preserving the metadata ensuring metadata Integrity to verify The Source timing and authenticity of the digital artifact you are going to present in the court of law use the non good reference data and it means that you have to compare the collected the collected data with non good reference data to identify anomalies this is in statistical process statistic mathematic many times you have to do to do that as well anti forensic awareness you have to be aware of the anti-forensic techniques and conent act then there are multiple applications that work against digital forensic so you have to be aware of that and before you start the digital forensic analysis why you are doing or working in the digital forensic data collection process you want to make sure that you don't have any anti-forensic awareness tool install or appli ation in the particular host or host in which you are going to conduct the investigation other very important component is cross validation this is what brings actually reputation and respect to the data you are presenting in the court of law okay so the standard operating procedures very important component that is many times Overlook at and it's about developing and follow so be that maintain or to maintain consistency this is why documentation is key and it was presented in a slide number one training in certification is other component and this is relevant the reason why it's relevant I understand that you can learn many things by yourself this is becoming most popular as we become more technology dependent this is normal and is expected but certifications still having a particular value and there are multiple questions in certification exams in general terms not only in Easy couns certifications or others in which most likely if you don't go through the certification process you will never find out and this is what people said or some people said well this is a theoretical information digital forensic involve a lot of theoretical information a lot remember that we are doing the analysis is at a low level from the technical standpoint so theory is extremely important and relevant when when we do forensic investigation digital forensic the same happens with the medical doctors when the medical doctors do a forensic analysis into a body of somebody that pass away they also employ a lot of theoretical knowledge they have been accumulating digital forensic is not different the other consideration is the expert testimony okay I am for example I live in Miami Florida USA and I am one of the 11 experts certified by the legal system in the 11 District meaning that when you go to the court you have to be classified as an expert in order to provide comments and evidence otherwise probably you know more than big about technology but you will not be able to speak in the court because what we said in the court is relevant for the case and with our wording or statement and through the evidence we provide we have the ability to put somebody in jail or release this person from being in jail so this is extremely important okay so evidence storage this is one of the most important component you oponent in the cour or in your company is going to try their best in order to Cho down what you are presenting so you have to safely store and protect evidence to maintains its Integrity Integrity is the most important characteristic or consideration in digital forensic without any other close to so Integrity is everything in digital forening okay data encryption there are multiple cases in which is you are going to do digital forensic in in encrypted storage devices in encrypted data in encrypted applications you you need to develop the possibility to handle the encrypted data and understand ention methods I have between the Publications I have I have over 25 Publications about different topics and Concepts in cyber security a few of them probably five or six are specifically about encryption if we want to do digital forensic we want to become data encryption expert there is no other ways I understand that multiple people doesn't like math statistics physics Etc but this is a requirement to do an appropriate digital forensic assessment is a necessity today okay the other consideration and this is for the people that love technology like me attend in or watching this conference is Network I am a big fan of network I have been working in network straight for 41 years my doctoral degree is in telecommunications and cyber security so network is on my DNA I love network over every other other topic in Information Technology network analysis is the possibility for you to analyze Network traffic logs and data to trace digital Footprints I'm pretty sure that everybody have a tool on M and of course this tool most likely is part of the tools that I have been that I'm going to provide in the last slide for you guys but network analysis today from the digital forensic standpoint is everything everything is Network related one or another way mware analysis we need to develop the possibility to understand mware behavior and analys and how those mwar impact on systems this needs to be incorporated as part of the cyber security analysis when you perform digital forensic today Cloud forensic I don't have to highlight how important Cloud operation is okay we are moving the operation to the cloud and for the one that is still having or ruling the operation on premise there is a high expectation that sooner than later to move the operation to the cloud multiple convenience but the consideration at this point is not the benefit of all comes of the cloud from the forensic standpoint when you do Cloud forensic the situation is little different from when you do a investigations on premise so you have to adapt methodologies for investigating data in the cloud in dependently of the cloud provided it doesn't matter if this is AWS Google assur whoever it is the operation in the cloud is somehow different from the digital forensic standpoint starting from the way you access the data remote forensic is the opportunity to develop a skills for collecting and analyzing data from a remote location this is happening more frequent now as we become more ping work related in multiple cases my own company knowing my job at the government but on my own company I have been doing in the last two years three years probably two years so at more remote digital forensic that probably never before in my life so this is an important skill to develop as way case management is the way we use digital forensic case management to organize and investigations I mention to you I go to the court very often more often than what I want very very often okay and they goes and scrutinize every single protocol you present every single artifact every single document the specific chronological order this is a complex process it's not only collecting the data the digital forensic data doing the analysis and going to the court and talking okay the process is much more complex than this collaboration collaborate with other experts and I leave one in the middle that I'm going to highlight in a few collaborate with other experts law enforcement or Organization for complex cases cases are different in between of course this is obvious and I know you know that okay but you have some cases sometimes in which the forensic analysis become very complex on those particular cases my advice is collaborate with others okay you do better when you work as part of the team and not when we work independently and I es skip the data privacy compliance for a minute because this is relevant every single state every single no exception a state court operate on the different requirements so you want to make sure that you follow the Privacy regulations in your specific place okay and by the way I'm going to ask you a question I'm not expecting any response but the question is by any chance do you know the specific digital forensic regulations in the place you live ask the question yourself and probably some of you is going to respond no this is a critical thing continuous learning you need to F pass for what we do okay cyber security is an specialization of it from my point of view the most fascinating Topic in the world in the planet this is the only topic I can talk myself about it for 25 hours without drinking water this is my life I dedicate multiple hours every single day seven days a week even when it creates some personal problems with my family Etc this is on my DNA I encourage each of you if you are not doing to dedicate your life to become a digital forensic expert digital forensic is one of the most fascinating topics in the planet okay and you want to be atten to this type of things report and presentation when you go to the court or when you present your outcomes of all the digital foric outcomes to your organization you want to make sure that you use a clear language you are concise and you go ready for the presentation questions and answers you never wants to go to the court you prepared okay never in your life this is not appropriate because at the end your assessment have the possibility to put somebody in jail or somebody will be fired from the organization or not so what we said is relevant our wording have a huge impact in other people's lives it's important to be attentive to that one of the most relevant topic that I have been using in my practice is the use of artificial intelligence in digital forensic since 2017 this is not a topic that is well known at this point the reason why I really want to share my experience practical experience with you guys digital evidence analysis how artificial intelligence can help us well everybody knows that we have multiple applications that we can use in order to analyze the different kind of media that can be generated as for example text image and videos artificial intelligence studes have the ability to detect and flag potential relevant content for investigations especially from the timing standpoint digital forensic is extremely time consuming very very time consuming it's extremely complex this is probably along with data recovery the most comp Flex specialization in cyber security so the use of artificial intelligence in our favor is very convenient and at the end I'm going to include as well or actually I included in the list a particular artificial intelligence tool that you can use in your favor the other use of artificial intelligence is par recognition artificial intelligence can identifies parents in data helping investigator recognize anomalies or correlations in digital artifacts that may indicate the criminal activity and out of the whole sentence the most important question is the and no question what the key word is correlation how we correlate data by using artificial intelligence the process is going to be simplified dramatically speaking based of my personal experience the other component is the NLP this can be used to text based evidence including sh logs and emails to uncover communication patterns or hearing minuts the lot of evidence that we collect about 65% is included in emails chats documents Etc so this is when NLP plays a predominant role artificial intelligence in the digital forensic analysis for image and video analysis incredible benefits okay you have the ability to analyze the multimedia content to identify object pH and potentially illegal or sensitive content I'm sure that a word is coming to your mind right now estigo yes this is part of the estigo but it's not similar of doing atigo by using a particular application that when you employ artificial intelligence tools that are dedicated exclusively for digital forensic the benefit is really awesome predictive analysis machine learning models can predict potential areas of interest in an investigation guiding forensic expert to focus on critical evidence imagine that you are analyzing the hard dve that is one terabyte okay one terabyte hold a lot of documents videos pictures sounds Etc you know that okay you know that if you are attending these conferences because you are very familiar with information technology C security digital forensic well how you find the specific data un need to prove something in the court of law well you have to be very careful about the pieces of data you pick for the analysis otherwise probably your assessment is not appropriate and again every single word we said in the court of law or in the organization that we are working for are relevant it implies that probably somebody will be in jail for 30 years probably somebody if we talking about a huge crime like an assassination a child pornography abuse that implies somebody that die Etc our assessment is critical okay we become the role of the main role player when digital forensic is involved we have to be very careful about the way we do it this is not a joke is very serious okay predictive analysis machine learning models or artificial intelligence are pretty close in this concept can predict potential areas of interest in investigation but we talk about that detection artificial intelligence driving security tools can identify cyber threats and potential cyber crime activities helping laws en foring cyber security things respond effectively and proactively more important we all the majority of us have multiple tools that we call Proactive H in our place of work okay we have different kind of monitors Etc but the possibility to do something in a proactive mode is really what we want evidence authentication artificial intelligence can assist in the authentication of digital evidence ensuring its integrity and the possibility of this data to be admitted in cour data recovery artificial intelligence help with the recovery of the data that have been deleted intentionally or un intentionally it doesn't matter when we do digital forensic we want to have as much data as we can that serves to make a case against a particular party from the malware analysis standpoint the dig the artificial intelligence bring a lot of speed and this is needed because again you are looking for needle in a ton of water okay or in a tone of sand and this is very complex from the network forensic standpoint we are customed to use tools as for example wih everybody knows wih and I know that well anyways there are so specific artificial intelligence tools for Network forensic analysis nowadays and I included two of those tools in the list in in the last slide automated trace this is one of the most important consideration for you to consider artificial intelligence in the digital forensic speed okay it basically this is the possibility to do correlation between large data sets case priori artificial intelligence can assist investigators in priority prioritizing cases based on factors like severity potential impact or resource allocation and it means timing predictive policing super important because until today digital forensic is always reacted more we react to something that happen the possibility to make predictions in digital forensic is fantastic it never happened before this is new at least for me I start using artificial intelligence back on my own company 2017 and I have been able to use that in multiple cases for the police department in Miami and another two cities in Florida Tampa in St Petersburg and the result have been amazing document analysis you know that NLP can extract information from documents and analyze sexual content for investigations artificial intelligence minimize dramatically speaking the time needed for that emotional recognition everybody knows what happened with the desp algorithms okay so we can use artificial intelligence basically to analyze videos which is awesome because our eyes our muscles in our eyes doesn't have the ability to lie we can lie when we speak or we can try but the eyes the reaction to a particular stimulus cannot be high or cannot be modified so this is unique from the data privacy and compliance also you have the ability to out autom attic to automate B automate the specific data you want to include as part of your report okay now digital forensic data acquisition step from my standpoint after 41 years preservation we already talk about this documentation preservation is integrity okay this is the most important consideration categorically speaking in any kind of digital forensic investigation you have to preserve the data as it is and remember you never use the original data for your forensic analysis never you always use copy and to do copies you have to use a bit by bit applications bit by bit you cannot copy bites or you cannot copy even data and forget it about information so preservation is the most important thing documentation we already know that everything needs to be documented okay from the crime machine office to the last Point chain of custody one more time and I guess that I'm I'm going to mention this one more time because gain of custody means or opens the door for you to present a case in the court of law or to basically have the ability in your organization to prove that what you are presenting is appropriate you have to plan how are you going to collect the data you have to plan with anticipation the specific tools you are going to use what methods are you going to consider in your data collection process this is relevant and you always have to consider the coms coms is probably more important than PR when you select or decided to use a particular application for the data acquisition you always want to focus on the negative people usually tends to talk about the positive oh I like why the Shar because this and that it's better that you focus on the negative in Information Technology everything has cross and comes no exceptions exceptions do not exist there is not one exception everything positive have something negative in information technology and this is what you want to focus on it to avoid problems at the end Okay so how about the verification process you have to verify before you work with the real data that the tools and methods you selected work okay you never want to mess up with the original data needed with a copy you want to test in a test environment your tools your methods your approach the steps you are going to follow is very time consuming it is but by the way it's also very well paid is very well paid the only thing I can tell you that it's very well paid you have no idea if you become a cyber security expert and specialize in digital forensic this is where the money is and trust me this is where the money is okay I'm telling you first person duplication we talk about that already the only way to do that is by creating bit forbit image there is no other ways okay this is why you you want to use PR blocking devices software and Hardware I mentioned that before Tex rooms and hatching different concepts that some people are still confusing about it okay there is a huge difference between the two the main one is that Asing is a oneway function you go from the left to the right and usually you don't have the ability to come back to replicate the process of course if you have the algorithms on hand then you can do reverse engineering this is obvious but this is not what happen in regular conditions okay so check zoom and hatching both minimize the possibility that you mistake in your digital forensic ER analysis the other component is acquisition okay so how are you going to collect the data what particular tools are you going to use you always have to maintain a strict R only access to the source if you have the ability to manipulate the data in the source you have the ability to tamper with actually the most important consideration out of the CIA which is integrity if the opponent is the opposite part to you in your organization the defendant in other words have the ability to prove that the the original data or source can be manipulated in any way the conversation is 100% over and the case will be dismissed categorically speaking it's no more conversation so this is a humongous responsibility when it comes to data acquisition what protocols you use what the specific tools how do you plan it how you document is a very painful process in other words okay now data recovery we already talk about the complexity of finding a needle in a tone of s this is super complex okay but it's doable the only thing you have to use is the appropriate tools and you you need to have a specific plan because every single case is 100% different digital signatures sign the acquire data in hatches with a dig digital signature for authentication there are multiple cases today in which H signatures are not accepted anymore in the go government I am a Federal Officer for the US Department of Commerce in USA in the government we are not allowed to sign anything by hand for many years back many years okay digital signatures have a specific component that minimize dramatically speaking the possibility of replication and this is why this is accepted in the court of law verification R verifies the Integrity of that Qui image by comparing hash values with those calculated before the hash values must be exact no difference not even in one 0.001 percentage most much 100% categorically speaking otherwise the court is going to dismiss the case as well or the organization probably is not going to take the appropriate action vus in a particular individual or problem or process okay LS and no we already talk about documentation at the beginning you have to actually make sure that everything is timestamped as I mentioned before at the beginning digital forensic must be collected in a particular order analyzed in the similar Manner and presented in the report in the specific order in which the process was done otherwise the process is going to be disqualified and this is exclusively at this point our own responsibility and nobody else okay the storage we already know that gain of custody is one of the most important component there are multiple forms depending of the state in which you live and the countries as well that you have to follow anything if you miss a check mark or if you put a check mark on those particular forms you are basically dismissing you the case you intentionally the court doesn't work in the way many of us believe okay we have the possibility to put somebody in the electric share or to release to provide to this particular individual or organization what we said is relevant okay this is very important the brift you always have to be in Comm communication with all parties both the one presenting the digital process or ruling the process and the other part as well you cannot hide anything Zero from your opponents in the court of law or for the defendant part never in your life this is why the first bullet in the whole presentation was as you may remember ethics okay in digital forensic we provide what we known to the other parties as well even to the defendant to the opponents every single time no exception and we provide every single artifact with the most clear possible explanation to the opponents this is how the digital forensic process work otherwise it will be dismissed as well in the court steing you have to make sure that every single piece of digital evidence is properly still then that you follow the process by the book again if you Skip One Step just one out of 100 or 200s depending of the case the case is going to be this measure no exceptions the Cod goes by the book as you can imagine and your opponent is going to be very attentive to to the minimum possible failure to dismiss the case okay so how you transport the data from one place to the other place chain of custody this is the key component chain of custody data encryption you have to make sure that you prevent or actually Pro prevent a Integrity manipulation and you always want to meure the confidentiality of the data CIA we already talked about the component confidentiality Integrity availability from the digital forensic standpoint the most important no exception is integrity and also the confidentiality okay so from the recovery image standpoint you always want to have a duplicate for validation and reanalysis and remember that you always want to work with a copy of the digital evidence 100% of the time no 9 you have to preserve the original evidence this is part of our responsibility and this is why we do bit by bit analysis and bit by bit copy it's complex okay now a specific step in digital forensics to analyze the collected data at this point you already went through multiple process and spent a lot of time how do you analyze the data you have because you are going to have probably terabytes of data okay well you have to make sure that hashing and TS digital signatures and the chain of custody have been followed data priorization what happens and what is more relevant you cannot present in the court two terabytes of data or 2,000 Pages this is Irrelevant for the case okay you have to make sure that you use keywords in order to provide a solid report to the court for this particular case for the keywords artificial intelligence have been proven to me that is of huge help file caring you have to use a specialized tool to recover files that may been deleted or you intentionally hiting timeline analysis we talk about you have to do everything by following a particular sequence of activities in other words you have to present and do the analysis in chronological order in the way that you collect the data this is the exact way you do the analysis and later you do correlation okay but you have to follow a particular chronological order data recovery you have to do your best to reconstruct the data that have been deleted or probably damaged even by a physical or electronic condition in the storage media the metadata analysis is also complex okay this is the next component after the time the timeline analysis metadata includes multiple kind of data so this part of the analysis is going to be complete colle and more time consuming than the data collection and the data collection is already very time consuming content analysis you have to be very careful because this is basically what the forensic analysis is going to be parent recognition how you can match one bit of data with another bit okay is there any association between bits between bites between data between words this is a iCal component communication analysis again you want to make sure that you include everything emails today are probably the most relevant component of digital forening analysis you wants to make sure that you master email analysis as well data encryption you always have to keep in mind the confidentiality and when we are talking about the recovery or the recovery image I mentioned that as well similar to the chain of custody before because you always have to pres the digital the original data evidence examination you want to make sure that you verify the Integrity of the data you have been acquiring including hash value digital signature and the chain of custodies we talk about this already this is a repeat of the slide by the way okay so database examination and you foring a duplicate slide so this slide is the same to this okay so my apology for that it's my fault data database examination investigate databases for valueable valuable information including structure data and locks entries Etc media analysis this is a very complex process because it's usually about atigo or include testigo and this is about image videos audios geolocation in digital signatures Network traffic analysis tools as why the Shar h but my suggestion is that you use all the tools that are part of the artificial intelligence applications we can use today and are available in the market estigo is always complex okay because stigo include not only image but in many cases audio as well and this is very complex time consuming you always wants to make sure that you use the appropriate estigo analysis techniques and that are multiple specific for volatile analysis as I mentioned before there is multiple ways to do data acquisition from RAM memory when we turn off the computer all the data from Ram doesn't goes off this is what everybody said this is what Google said this is what people that never do forensic investigation repeat this is not appropriate if you know how to do it and again I make the presentation for e councel in 2019 if you Google my name in this presentation you will be able to find a particular video in which I was able to recover data from RAM memory after the computer was took down took down believe it or not go for the other presentation that this is DC councel database and you will be able to see the video okay comparison you have to do cross reference every single time to make sure that the data you identify is appropriate and you always identify identity deviations and inconsistency before you do the final report I told you already when you present the report in the court of law and minimum mistake something minimum will be disqualified in the case for example in this presentation I include IED by mistake this slide and this slide if I do that in the in the court of flow is dismiss okay that's it it's no more conversation the emotion analysis we have talk about that we are talking about persons digital evidence is always related to people in process processes applications Hardware software so we want to make sure that what we present is accurate and from the documentation at some point it was the second point in the presentation we have to document everything reporting is about compiling in a clear and comprehensive manner including summaries methodologist and supporting evidence you have to include or at least in my case I always include the recordings of everything I do everything means even if I open my personal email or if a notification come to my computer and I open something in my my in my WhatsApp for example this is part of the recording as well okay so you have to make sure that you provide an expert testimony in order to do that you have to be an expert in digital currency Feer review consult with other with your partners with the opponent with the defendant part before you present it's not that you are going to modify to report because the defendant doesn't like it this is not what I'm telling you it's just that you are going to provide the report and by the way you must provide the report to the defendant before you go to the Court by the time you stand up in the court everything needs to be done the other part need to know exactly what you are going to present this is how the legal systems work okay with deceptions of very few countries but in the world this is how it work so the quality assurance is just making sure that what you present is appropriate the case management is how you use the digital forensic and manage system to track everything in analysis process and from the data privacy compliance I told you already every single place every single City every single state operate under different conditions popular tool for digital forensic few of those in Cas autopsy Access Data everybody know how is a forensic tool kit hway forensic celebrity vola volatility wi sh everybody most likely know oxygen forensic detective and the digital evidence and forensic tool kit so some of those are included in Cali others do not some are open source others are extremely expensive for example in case which is very very expensive some relevant reference about digital forensic I prefer to use keywords and not particular reference or books because I don't recommend any specific book instead the combination of content and knowledge and expertise but some words or key words you can use if you want to expand more in digital forensic are digital forensic best practice challenge iMobile digital forensic Network forensic techniques Cloud forensic investigations Internet of Things forensic memory forensic analysis because you want to stop repeating what you have been learning for years when you took down the computer with the computer is turn it off and there is a lot of data that remains in r memory for a particular amount of time of course okay so try to expand on this topic malware analysis in digital forensic and cyber security and digital forensic Trends those are keywords that will be facilitating your expansion or you expanding on digital forensic knowledge other considerations are some particular journals okay I in this case I'm going to risk and recommend the digital investigation that is published by xier is one of the top in the world the other one is the Journal of digital forensic security and law and forensic science International digital investigation report I'm open to any question you may have and one more time I want before I close my lips I want to sincerely thank you EC Council for another opportunity to talk about this fascinating topic thank you very much for all the staff in the e Council that work tily who made this presentation a possibility and thank you so much as well for you guys attending the conf the conference and for the questions that you may ask thank you very much Dr Lewis for such an insightful and informative session that was really a very interesting webinar and we hope it was worth your time too now now before we begin with the Q&A I would like to inform all the attendees that EC council's CH maps to the forensic investigator and the consultant digital forensics anyone with the chfi certification is eligible for 4,000 plus job vacancies globally with an average salary of $95,000 if you're interested to learn more andly take part in the poll that's going to be conducted now let us know your preferred mode of training and we will reach out to you soon uh Dr L shall we start with the Q&A yes I'm ready for okay our first question is how to prove in court of law that the collected evidence is from the same object and not collected from any other object this is a very important question I really appreciate the clarification on this topic as I said we have to be very careful about the way we collect the data when we are talking about objects objects are associated to bits not to bikes only but Bits And as I mention multiple times when we do the copy of the original data we want to make sure that we always do bit by bit when you do bit by bit and not B by B because a bit implies up to 3.4 volts in electricity we are eliminating the possibility of mistake objects are bigger a bit do not constitute an object objects are formed by multiple bits this is why we have to do the analysis bit by bit and I mentioned that multiple times thank you for answering that question our next question is what kind of forensic data can we obtain from the encrypted data where the key is not available to decrypt the data could you please repeat the question what kind of forensic data can be obtained from the encrypted data where the key is not available to decrypt the data you encryp data uh I'll just P the question to you on chat uh Dr Ls I'm not watching the chat right now something happened I'm not watching the shat sorry H long hello hello hello can you hear me yes I can hear you yes I have posted the question on the chat Dr leis okay okay please yes I have already pasted okay let me check here okay give me a second okay what kind of forensic data can be obtained from encrypted data oh okay okay well this is another misperception okay everybody knows that when the data is encrypted we cannot open the data or the particular file document video any kind of Digital forening Data let me tell you something there are multiple forensic tools that have the ability to decrypt the data even when we don't have the key this and I understand the key component and I understand that the two type of encryptions symmetric and asymmetric and as I said I have multiple Publications about encryption ER but there is most likely always the possibility to encrypt data without having the encryption key I understand that it doesn't sounds popular it's not what we hear every single time but when we spend specialize on digital forensic we have usually the tools we need to decrypt the data especially if you are using artificial intelligence also in the government at least in the US government in my operation in the operation I direct I handle I supervise we are using artificial intelligence for multiple things in cyber security since 2017 and we are also using Quantum Computing Quantum Computing is not not coming quantum computer is in use in the US government for years now so we are using Quantum Computing for years there are multiple ways to decrypt the data when the encryption key is not available multiple ways multiple applications as well that help with the process it's very time consuming but there is a possibility for that and this is a great question because the question is okay how about the hard drive is encrypted there is nothing that I can do right no this is not like that there is always ways to decrypt the data always it doesn't matter how strong the encryption is but you need to have the appropriate tools of place for example I'm going to mention just one in case when I present this some tools that I suggest before I said that in case is very expensive in case do magic between quotation man in case do multiple things that we don't learn in the school okay so I can see the other question here how to adapt to investigation in the cloud since the clouds provided do not allow most of important operation to access media when you have to do a case or conduct digital forensic in the cloud the cloud providers 99% of the time I don't want to say 100 because I don't want to risk on that but usually the cloud providers include in the SLA in the service level agreement what is going to happen if a digital forensic or any kind of Investigation needs to do needs to be performed in the cloud space so most likely the cloud operator is going to facilitate access to everything you need sometime you have to move and go physically to the place in which the data is host don't believe that the cloud provider doesn't know where the data is host we know where the data is host specifically I have been in San Diego California and another States in Hawaii back in 2019 as well doing forensic investigation in a cloud environment it was actually for something government related and I was given the permission I need to do any kind of Investigation so Cloud providers facilitate forensic analysis because forensic analysis are usually related to legal cases there are multiple cases in which in USA we don't have access to this data and I'm going to mention an example Tik Tok Tik Tok the problem between the US government and Tik Tok is that when Tik Tok get the authorization to operate in USA the government was one step behind behind Okay and we don't regulate Tik Tok at this point Tik Tok has the ability to prevent forensic investigation in the Tik Tok platforms for the US government cour system or legal system okay but again usually Cloud providers facilitate investigation in the cloud 100% they cooperate in every single manage they have to facilitate the forensic investigation thank you for answering that question uh we'll take last question for the day uh what is the best open source free tools for social media forensics there is no best open source tool that is a combination of tools number one digital forensic cannot be performed categorically speaking with one or two tools this is a complex time consuming and expensive process I made some suggestions it's included in the slide ER let me see a slide slide number 16 okay this is the slide in which I include in case autopsy the S some of them are upper cases as I I'm sorry open source as I mentioned before but there is not a particular tool or two or three tools that I will recommend because in top of that every single forensic investigation is about the different process you cannot use the similar tools this is why there are very at least in USA very small amount of organizations companies that specialize in digital forensic as my company does the reason why is because between many other things lack of expertise and expenses okay so I do not recommend a particular tool instead the combination of tools there are multiple open source I mention a few in a slide number 16 of my PowerPoint presentation but again those are not sufficient those are the most popular and strong ER more accurate uh tools that you can use for digital forensic but a particular tool one or two to do forensic investigation it doesn't exist is impossible doesn't thank you again to our wonderful speaker Dr Lewis for answering those questions and for the great presentation and knowledge shared with our Global audiences it was a pleasure to have you with us and we are looking for more and more sessions with you before we conclude the webinar Dr LS would you like to give a small message to our audiences please well no just want to thanks everybody again the one that work tiously behind the presentation to you in e Council as always thank you very much for the support for all the attendees I hope you learn something new let me clarify that every single content wording words Etc that I have been presenting for you is my original creation 100% not 99.99 but 100% categorically speaking and I put together those notes and reflection for you guys with the hope that you can come back to your organization and ser better that you can become a public servant ER and go to the court and testify in favor of the park that deserve your benefits and I sincerely thank you for the opportunity to share my expertise with you guys have a nice weekend okay thank you very much for the time in question thank you so much thank you so much Dr Louis for your message before we end the session I would like to announce the next cyber talk session why are strong foundational cyber securities skills essential for every IT professional which is scheduled on November 8 2023 this session is an export presentation by Roger Smith director car Managed IT industry fellow at Australian Defense Force Academy to register for this session please do go visit our website www.ccu.edu cybert talks the link is given in the chat section hope to see you all on November 8th with this VN the session with this you may disconnect your lines thank you thank you so much Dr leis pleasure having you likewise thank you very much for the opportunity thank you have a good day