Hello, everyone, and welcome to today's
session on digital forensics: best practices
from data acquisition to analysis. I'm
Shilpa Goswami, and I'll be your host
for the day. Before we get
started, we would like to go over a few
house rules for our attendees. The
session will be in listen-only mode and
will last for an hour, of which the
last 15 minutes will be dedicated to Q&A.
If you have any questions during the
webinar, for our organizers or
speakers, please use the Q&A window. Also, if you
face any audio or video challenges, please
check your internet connection or you
may log out and log in again. An
important announcement for our audience:
we have initiated CPE credit
certificates for our participants. To
qualify for one, attendees are required
to attend the entire webinar and then
send an email to cyber talks at eccouncil.org,
after which our team will
issue the CPE certificate. Also, we would
like to inform our audience about the
special handouts. Take a screenshot of
the running webinar and post it on your
social media, LinkedIn or Twitter, tagging
EC Council and Cyber Talks. We will
share free handouts with the first 15
attendees. As a commitment to closing the
cybersecurity workforce gap by creating
multi-domain cyber technicians, EC Council
pledges $3,500,000 towards ECT
Education and Certification Scholarships
to certify approximately 10,000 cyber
professionals ready to contribute to the
industry. Did you know that you can be
part of the lucrative cybersecurity
industry? Even top companies like Google,
Microsoft, Amazon, IBM, Facebook, and Dell
all hire cybersecurity professionals.
The cybersecurity industry has a 0%
unemployment rate. The average salary
for an entry-level cybersecurity job is
about $100,000 per year in the United
States. Furthermore, you don't need to
know coding, and you can learn from home, and
you get a scholarship to kick-start your
career. Apply now. EC Council is pledging
a $3,500,000 CCT scholarship for cybersecurity
career starters. Scan the QR
code on the screen to apply for the
scholarship. Fill out the form.
Now, about our
speaker Dr. Luis. Dr. Luis Noguerol is the
Information Systems Security Officer for
the U.S. Department of Commerce, NOAA,
where he oversees the cybersecurity
operation for six states in the
Southeast Region. Dr. Luis is also the
President and CEO of the Advanced
Division of Informatics and Technology,
Technology INC, a company that focuses on
data recovery, digital forensics, and
penetration testing. He is a world-renowned
expert in data recovery, digital
forensics, and penetration testing. He
holds multiple globally recognized
information technology and cybersecurity
certifications and accreditations
and is the recipient of multiple awards
in technology, cybersecurity, and
mathematics. He currently serves pro bono as
an editorial board member and reviewer for the
American Journal of Information Science
and Technology, and is a member of the
prestigious high-edging professor program for
undergraduate and graduate programs at
multiple universities in the U.S. and as a
reviewer for the doctoral program at the
University of Karachi in Pakistan. He is
the author of multiple cybersecurity
publications and articles, including Cybersecurity
Issues in Blockchain: Challenges and
Possible Solutions. He is also one of
the co-authors and reviewers of the
worldwide acclaimed book, Intrusion
Detection Guide.
Prior to obtaining his doctorate
degree in Information Systems and
Technologies from the University of
Phoenix, Dr. Luis earned a Bachelor's in
Science and Radio Technical and
Electronic Engineering, a
Bachelor of Science in
Telecommunications and Networking, and a
Master of Science in Mathematics and
Computer Science.
Without any further delay, I will
hand over the session to you, Dr. Luis.
Thank you very much. Thanks. Okay.
Good morning, everybody. Good afternoon, and
good night, depending on the specific
area in which you reside. We are going to
have an interesting conversation today
about digital forensic best practices
from data acquisition to analysis. This
is the title of the presentation or
subject, and I’m more than happy to be
here with you all and share some of
my expertise. So, let's go ahead and start the conference,
okay? She already mentioned
some of my credentials.
I have been working in cybersecurity
at this point for over 41 years.
This is in my DNA, a topic that I didn’t
like and respect as much as I cannot
talk about any other topic in my life.
Before we go, I have here a statement that
I put together for you, okay? Digital
forensic best practices. Well,
consideration number one: just to break
the ice in the labyrinth of
cyberspace, where shadows dance through encased
passages and data whispers its secrets, the
digital detective emerges. This is us, the
digital forensic experts. Clad in lines of
code and armed with algorithms, we seek
the hidden treasures of truth and
solving enigmatic cybercrimes. With a visual
magnifying glass, this is what we do: we
dissect the digital tapestry,
unveiling the footprints of elusive
cyber cultures. This is what cyber forensics, or
digital forensics, is about. Each keystroke and
pixel holds a clue, something that we can
use in our favor. And in this mesmerizing
world of the digital era, ones and zeros,
the art of digital forensics is about
finding the secret of the digital reality. Digital
forensics is about finding evidence
that can lead to a particular process. It
can be a legal process, or it can be any
other kind of process. But what is
digital forensics from my point of view?
Well, I mentioned earlier that I've
been working in cybersecurity for 41 years.
My specialties are in penetration
testing, data recovery, and digital forensics.
I’ve been working for the
police department in multiple places
doing digital forensics for them. So I try to
put together an easy definition for you from my
standpoint about what digital forensics
is. Digital forensics investigates digital
devices and electronic data to use as
evidence. Please note that I don’t say
electronic information; I use the word "data"
intentionally to understand digital events
and trace illicit activities. This is a key
component of digital forensics. Normally
speaking, digital forensics happens, of
course, after the facts, and the idea of
digital forensics is identifying traces,
okay, that lead to particular data that
we can gather together and make a
conclusion. It involves the systematic
collection, preservation, analysis, and
presentation of digital evidence in
legal proceedings. This is key
today because we are technology-dependent,
and there are multiple states,
at least in the USA and some other countries,
where digital forensics is still in
limbo because it's not accepted in the
court of law. Okay. So, this is very
important to keep in mind. What are we
going to do from the digital forensics
standpoint, the data collection process,
and the analysis? Digital forensics
experts use specialized techniques and
tools to extract data from computers,
smartphones, networks, and digital storage
media to support investigations and
resolve legal matters. So this is
basically what digital forensics is
about. Let's go ahead and start with the
technical part, which is the topic I like
most. Okay, let's talk about those
30 best practices that I’ve put
together for you. At the end of the
presentation, you will have the
opportunity to ask as many questions as
you like. 1. You have to
follow the legal and ethical standards:
For this particular first point, I am not
going to make any comment. I believe that
ethics is a key component
of cybersecurity. We always
have to follow the rules. We must always
follow the legal procedures in the
places in which we operate because every
single place is a different component.
2. Understand the original evidence:
This is key. Okay. You always have to
maintain the integrity of the original
evidence to ensure it is admissible in
court. Any kind of manipulation
or modification will result in
disqualification from the court system.
Document everything: This is something
that technical people like me don’t
like too much, but when it comes to
digital forensics, we have to document
every single step we take. We have to
record all the steps we
follow, and we want to make sure that
everything is documented and recorded in
a specific chronological order. This is
a key component for digital
forensics or investigations to be accepted
in the court of law. Secure the scene:
It’s not just physical
crime scenes that need to be secured to prevent
contamination or tampering.
If you present anything in court and
the opposing party
has the ability to prove that
something was not preserved, the
conversation is over. Chain of custody:
I’m going to repeat this more than
once during the presentation. Sorry.
Chain of custody refers to how you
establish and maintain
the evidence and the process
that facilitates how the
tracking process is handled. Use-Write-
Blocking Tools: This is another key
component of digital forensics. It means
that you have to use the appropriate
hardware and software that allow for
write blockers when you are collecting
data to prevent alteration. There are a
set of tools you can use, and at the end
of the presentation, I’m going to provide
you with a specific set
of tools you can use as write-blocking
tools. Verify hashing or hash
values. This is how you calculate and compare
hash values to verify the data's integrity.
There is often confusion about integrity,
confidentiality, and availability. In
digital forensics, the most important
component is integrity. It means that we
must make every effort to
ensure that the data is not modified in
any possible way, from the time we
arrive at the scene
to the time we present the evidence
in court and even after that as well. So
other component is Collect volatile data
first. Okay, this obviously makes perfect
sense. You have to prioritize this
type of data collection as it can be
lost or modified when the system is
powered down. For many of you, what I’m
going to tell you may
sound not appropriate, and this is the
following assessment:
we've been told from the time we
arrived at school and even at work
that information or data in random access memory (RAM) disappears when the
computer is shut down. Back in 2019,
I made a presentation similar to
this one for this account, in
which I proved that the data in RAM
can be recovered. Okay. So, what we have been
learning in multiple places, and what you can
easily find on Google, that data in RAM
is lost when
computers are powered down, is not
exactly correct. The other component is
Forensic image. You have to create a
forensic image of storage devices to
work with copies. You must always
present the original evidence. This is a
requirement in the court of law. You must
present the original evidence every single
time. The other component is the Data
recovery. Data recovery is closely
associated with digital forensics for
obvious reasons. Okay. You have to
employ specialized tools to recover
deleted or hidden data. This is also
something to keep in mind. At the end,
I'm going to provide some specific
applications you can use to do data
recovery.
Timeline analysis: You must construct
and analyze timelines to understand the
sequence of events. What happened first? The
chronological order is a mandatory
requirement in the court of law. You
cannot present evidence in court
in a random manner. You have to
follow the specific chronological order.
The other consideration is Preserving
the metadata. Ensure metadata integrity
to verify results, timing, and
authenticity of the digital artifacts you
are going to present in the court of law.
Use known good reference data: This
means you have to compare the
collected data with known
good reference data to identify
anomalies, specific patterns, and
statistical processes. Many times, you have
to do this as well. Antiforensic
awareness: You have to be aware of the
antiforensic techniques in use.
There are multiple applications
that work against digital forensics. So,
you must be aware of that. Before
you start digital forensics analysis,
while working on the data collection
process, you want to make sure you
don't have any anti-forensic
tools or applications installed on the
particular host or hosts in which you are
going to conduct the investigation. Another
very important component is Cross-validation.
This is what brings actual
reputation and respect to the data you
are presenting in the court of law. Okay?
So the standard operating procedures are a
very important component that is oftentimes
overlooked, and it's about
developing and following SOPs that
maintain consistency. This is
why documentation is key, and it was
presented in slide number one. Training
and certification are also important components, and
this is relevant. The reason why it's
relevant is that I understand you can learn
many things by yourself. This is becoming
more popular as we become more
technology-dependent. This is normal
and expected, but certifications still
hold particular value. There are
multiple questions in certification
exams, in general terms, not only in EC-Council
certifications or others, in which,
most likely, if you don't go through the
certification process, you will never
find out. And this is what
some people say: "Well, this is
theoretical information." Digital forensics
involves a lot of theoretical information--
A LOT. Remember that we are doing the
analysis at a low
level, from the technical standpoint. So
theory is extremely important and
relevant when we do forensic
investigations--digital forensics. The same
happens with medical doctors. When
medical doctors do a forensic
analysis of a body of someone who
passed away, they also employ a lot of
theoretical knowledge they have been
accumulating. Digital forensics is no
different.
The other consideration is expert
testimony. Okay? I, for example, live
in Miami, Florida, in the USA, and I am one of the
11 experts certified by the legal system
in the 11 districts. This means that when you
go to court, you have to be
classified as an expert in order to
provide comments and evidence. Otherwise, you will
probably not be able to speak in court,
as what we say
in court is relevant for the case.
And with our wording or statement,
along with the evidence we provide, we have
the ability to put somebody in jail or
release this person from jail.
So, this is extremely important. Okay? So,
evidence storage is one of the most
important components. Your opponent in
court or in your company will try
their best to challenge what you
are presenting. So, you have to safely
store and protect evidence to maintain
its integrity. Integrity is the most
important characteristic or
consideration in digital forensics--
without any other factor coming close. So, integrity
is everything in digital forensics. Okay?
Data encryption: There are multiple cases
in which you will do digital
forensics on encrypted storage devices,
encrypted data, or encrypted
applications. You need to develop the
ability to handle encrypted data
and understand the encryption methods.
Among the publications I have, I have
over 25 publications on different
topics and concepts within security. A
few of them, probably five or six, are
specifically about encryption. If we want
to do digital forensics, we must become
data encryption experts. There is no other
way. I understand that many people
don’t like math, statistics, physics, etc.,
but this is a requirement for doing an
appropriate digital forensic assessment.
It’s a necessity today. Okay? The other
consideration, and this is for the people
who love technology like me attending
or watching this conference, is network. I
am a big fan of networks. I have been
working in networking for 41 years.
My doctoral degree is in
telecommunications and cybersecurity. So,
networking is in my DNA. I love networking more than
any other topic in information
technology. Network analysis is the
ability to analyze network
traffic logs and data to trace digital
footprints. I’m pretty sure
everyone has a tool of mine, and, of course,
this tool is most likely part of the
tools I’m going to
provide in the last slide for you.
But network analysis today, from a
digital forensics standpoint, is
everything. Everything is network-related in
one or another way. Malware analysis: We
need to develop the ability to
understand malware behavior and analysis
and how those malwares impact systems.
This needs to be incorporated as part of
the cybersecurity analysis when
performing digital forensics today. Cloud
forensics: I don’t have to highlight how
important cloud operations are. Okay? We are
moving operations to the cloud, and
for those still
running operations on-premises, there is
a high expectation that sooner rather than
later, you will move operations to the cloud for
multiple conveniences. However, the
configuration at this point does not fully
benefit all aspects of the cloud. From
a forensic standpoint, when you do
cloud forensics, the situation is a little
different from
on-premises investigations. So, you have to
adapt methodologies for investigating
data in the cloud, regardless of the
cloud provider. Here, as a matter, you can see
AWS, Google, Azure, or anyone else.
The operation in the cloud is somehow
different from a digital forensics
standpoint, starting with how you
access the data.
Remote forensics: Remote forensics is the opportunity
to develop skills for collecting and
analyzing data from a remote location.
This is happening more frequently now as
we become more telework-dependent.
In multiple cases--my own company, for example, knowing my
job with the government, but owning my own
company--I have been doing more remote digital forensics in the last
two, three years, probably two years.
Digital forensics that
than probably ever before in my life. So, this
is an important skill to develop as well.
Case management: This is how we use
digital forensics case management to
organize and track investigations. I mentioned to
you that I go to court very often--more
often than I want, very, very often.
Okay. And they scrutinize every
single protocol you present, every single
artifact, every single document, and the
specific chronological order. This is a
complex process. It’s not just collecting
the data, performing the digital forensics
analysis, and going to court to testify.
Okay? The process is much more
complex than this.
Collaboration: Collaborate with other
experts and there's one in the middle
that I'm going to highlight in a few.
Collaborate with other experts, law
enforcement, or organizations for complex
cases. Cases are different from one another.
Of course, this is okay, and I know you
know that. Okay? But you have some cases
sometimes in which the forensic analysis
becomes very complex. In those particular
cases, my advice is to collaborate with
others. Okay? You do better when you work
as part of a team and not when you work
independently. I’ll skip the data
privacy compliance for a minute because
this is relevant. Every single state,
every single... No
exception. A state court operates on the
different requirements. So, you want to
make sure that you follow the privacy
regulations in your specific place. Okay?
And by the way, I'm going to ask you a
question. I'm not expecting any response.
But the question is: by any chance, do you
know the specific digital forensic
regulations in the place you live? Ask
yourself this question, and probably some
of you are going to respond "no." This is a
critical thing. Continuous learning: You
need to keep asking about what we do. Okay?
Cybersecurity is an specialization of IT. From
my point of view, it's the most fascinating
topic in the world. This is
the only topic I can talk about
for 25 hours without drinking water.
This is my life. I dedicate multiple
hours every single day, seven days a week,
even when it creates some personal
problems with my family, etc. This is in
my DNA. I encourage each of you, if you
are not doing so, to dedicate your life to
become a digital forensics expert. Digital
forensic is one of the most fascinating
topics in the planet. Okay. And you want
to be attentive to these type of things.
Report and presentation: When you go to
the court or when you present your
outcomes of all the digital forensic
outcomes to your organization, you want
to make sure that you use clear
language, you are concise, and you are
ready for the presentation questions and
answers. You never want to go to the
court unprepared. Okay? Never in your
life. This is not appropriate because, at
the end your assessment, you have the
possibility to put somebody in jail or
somebody will be fired from the
organization or not. So what we said is
relevant. Our wording has a huge impact
in other people's lives. It's important
to be attentive to that. One of the most
relevant topic that I have been using in
my practice is the use of artificial
intelligence in digital forensic. Since
2017, this is not a topic that is well
known. At this point, the reason why I
really want to share my experience--
practical experience with you guys,
digital evidence analysis, how artificial
intelligence can help us. Well, everybody
knows that we have multiple applications
that we can use in order to analyze
the different kind of media that can be
generated. For example, text, image, and
videos, artificial intelligence studies
have the ability to detect and flag
potential relevant content for
investigations, especially from the
timing standpoint. Digital forensic is
extremely time consuming, very, very
time consuming and complex. This is
probably along with data recovery the
most complex specialization in
cybersecurity. So the use of artificial
intelligence, in our favor, is very
convenient. And at the end, I'm going to
include as well or actually I included
in the list a particular artificial
intelligence tool that you can use in
your favor. The other use of artificial
intelligence is pattern
recognition. Artificial intelligence can
identify patterns in data, helping
investigators recognize anomalies or
correlations in digital artifacts that
may indicate criminal activity.
Out of the whole sentence, the most
important question is: "What is the key word?" The key word,
correlation. How do we correlate data by
using artificial intelligence? The
process is going to be simplified
dramatically. Speaking based on my
personal experience, the other component is
NLP. This can be used to analyze
text-based evidence, including logs
and emails, to uncover communication
patterns or hidden minutes. A lot of
evidence that we collect, about
65%, is included in emails, chats,
documents, etc., so this is when NLP plays
a predominant role in artificial
intelligence in the digital forensic
analysis for image and video analysis. It provides
incredible benefits. Okay? You have the
ability to analyze multimedia
content to identify objects, people, and
potentially illegal or
sensitive content. I’m sure a word
is coming to your mind right now, steganography.
Yes, this is part of steganography, but it's
not similar to doing steganography by using a
particular application. When you
employ artificial intelligence tools
that are dedicated exclusively to
digital forensics, the benefit is really
awesome. Predictive analysis: Machine
learning models can predict potential
areas of interest in an investigation,
guiding forensic experts to focus on
critical evidence. Imagine that you are
analyzing a hard drive that is one
terabyte holds a lot of
documents, videos, pictures, sounds, etc. You
know that, right? If you are
attending this conference, it’s because you
are very familiar with information
technology, cybersecurity, and digital forensics.
Well, how do you find the specific data you
need to prove something in a court of
law? You have to be very careful
about the pieces of data you pick for
the analysis, otherwise, your
assessment is not appropriate. And again,
every single word we say in a court
of law or in the organization we
are working for is relevant. It implies
that probably somebody will be in jail
for 30 years, or probably somebody, if we’re
talking about a huge crime like an
assassination or child pornography abuse,
will face consequences like death. Our
assessment is critical. Okay? We become
the main players when
digital forensics is involved. We have to
be very careful about the way we do it.
This is not a joke; it's very serious. Okay?
Predictive analysis, machine learning
models, or artificial intelligence are
pretty close in this concept and can predict
potential areas of interest in an
investigation. But we also talk about
detection. Artificial intelligence
driving security tools can identify
cyber threats and potential cybercrime
activities, helping law enforcement and cybersecurity
teams respond effectively and
proactively. More importantly, the
majority of us have multiple tools that
we call proactive
in our place of work. Okay? We
have different kinds of monitors, etc. But
the possibility to do something in a
proactive mode is really what we want.
Evidence authentication: Artificial
intelligence can assist in the
authentication of digital evidence,
ensuring its integrity and the
possibility of this data being admitted
in court. Data recovery: Artificial
intelligence helps with the recovery of
data that has been deleted
intentionally or unintentionally. It
doesn't matter. When we do digital
forensics, we want to have as much data as
we can to make a case
against a particular party. From the
malware analysis standpoint,
artificial intelligence brings a lot of
speed, and this is needed because, again,
you are looking for a needle in a ton of
water or in a ton of sand, and this
is very complex. From the network
forensic standpoint, we are accustomed to
using tools such as Wireshark, which everybody
knows, well, anyway,
there are now specific artificial
intelligence tools for network forensic
analysis. I have included two of
those tools in the list on the last
slide. Automated trace: This is one of the
most important considerations for you to
consider with artificial intelligence in
digital forensics. Speed is key. It’s basically
the ability to do
correlation between large data sets. Case
priority: Artificial intelligence can
assist investigators in
prioritizing cases based on factors like
severity, potential impact, or resource
allocation, meaning timing.
Predictive policing: This is super important
because, until today, digital forensics has
always been reactive. We react to
something that happened. The possibility to
make predictions in digital forensics is
fantastic. It has never happened before.
This is new, at least for me. I started
using artificial intelligence back in my own
company in 2017, and I have been able to
that in
multiple cases for the police department
in Miami and in other two cities in
Florida: Tampa and St. Petersburg. The
results have been amazing. Document
analysis: You know that NLP can extract
information from documents and analyze
sexual content for investigations.
Artificial intelligence dramatically minimizes
the time needed for that.
Emotional recognition: Everybody
knows what happened with the DSP
algorithms. Okay? So we can use artificial
intelligence to analyze videos,
which is awesome because our eyes, our
muscles in our eyes, don't have the
ability to lie. We can lie when we speak,
or we can try, but our eyes’ reactions
to a particular stimulus cannot be hidden
or cannot be modified. So this is unique.
From the data privacy and compliance standpoint, you
also have the ability to
automate the specific data you want to
include as part of your report. Okay? Now,
digital forensic data acquisition steps:
From my standpoint, after 41 years of experience,
preservation--we already talked about this.
Documentation: Preservation is integrity.
Okay? This is the most important
consideration, categorically speaking, in
any kind of digital forensic
investigation. You have to preserve the
data as it is. And remember, you never use
the original data for your forensic
analysis—-never. You always use a copy. And
to do copies, you have to use bit-by-bit
applications. Bit-by-bit—you cannot
copy bytes, or you cannot copy data
and forget about the information. So,
preservation is the most important thing.
Documentation: We already know that
everything needs to be documented, okay?
From the crime scene to the
last point. Chain of custody: One more
time, and I guess I’m going to
mention this one more time because chain
of custody means or opens the door for
you to present a case in the court of
law or to prove, in
your organization, that what you
are presenting is appropriate. You have
to plan how you are going to collect the
data. you have to plan with anticipation
the specific tools you are going to use
what methods are you going to consider
in your data collection process this is
relevant and you always have to consider
the coms coms is probably more important
than PR when you select or decided to
use a particular application for the
data acquisition you always want to
focus on the negative people usually
tends to talk about the positive oh I
like why the Shar because this and that
it's better that you focus on the
negative in Information Technology
everything has cross and comes no
exceptions exceptions do not exist there
is not one exception everything positive
have something negative in information
technology and this is what you want to
focus on it to avoid problems at the end
Okay so
how about the verification process you
have to verify before you work with the
real data that the tools and methods you
selected work okay you never want to
mess up with the original data needed
with a copy you want to test in a test
environment your tools your methods your
approach the steps you are going to
follow is very time consuming it is but
by the way it's also very well paid is
very well paid the only thing I can tell
you that it's very well paid you have no
idea if you become a cyber security
expert and specialize in digital
forensic this is where the money is and
trust me this is where the money is okay
I'm telling you first person duplication
we talk about that already the only way
to do that is by creating bit forbit
image there is no other ways okay this
is why you you want to use PR blocking
devices software and Hardware I
mentioned that before Tex rooms and
hatching different concepts that some
people are still confusing about it okay
there is a huge difference between the
two the main one is that Asing is a
oneway function you go from the left to
the right and usually you don't have the
ability to come back to replicate the
process of course if you have the
algorithms on hand then you can do
reverse engineering this is obvious but
this is not what happen in regular
conditions okay so check zoom and
hatching both minimize the possibility
that you mistake in your digital
forensic ER
analysis the other component is
acquisition okay so how are you going to
collect the data what particular tools
are you going to use you always have to
maintain a strict R only access to the
source if you have the ability to
manipulate the data in the source you
have the ability to tamper with actually
the most important consideration out of
the CIA which is integrity if the
opponent is the opposite part to you in
your organization the defendant in other
words have the ability to prove that
the the original data or source can be
manipulated in any way the conversation
is 100% over and the case will be
dismissed categorically speaking it's no
more conversation so this is a humongous
responsibility when it comes to data
acquisition what protocols you use what
the specific tools how do you plan it
how you document is a very painful
process in other words okay now data
recovery we already talk about the
complexity of finding a needle in a tone
of s this is super complex okay but it's
doable the only thing you have to use is
the appropriate tools and you you need
to have a specific plan because every
single case is 100% different digital
signatures sign the acquire data in
hatches with a dig digital signature for
authentication there are multiple cases
today in which H signatures are not
accepted anymore in the go government I
am a Federal Officer for the US
Department of Commerce in USA in the
government we are not allowed to sign
anything by hand for many years back
many years okay digital signatures have
a specific component that minimize
dramatically speaking the possibility of
replication and this is why this is
accepted in the court of law
verification R verifies the Integrity of
that Qui image by comparing hash values
with those calculated before the hash
values must be exact no difference not
even in one
0.001 percentage most much 100%
categorically speaking otherwise the
court is going to dismiss the case as
well or the organization probably is not
going to take the appropriate action vus
in a particular individual or problem or
process okay LS and no we already talk
about documentation at the beginning you
have to actually make sure that
everything is timestamped as I mentioned
before at the beginning digital forensic
must be collected in a particular order
analyzed in the similar Manner and
presented in the report in the specific
order in which the process was done
otherwise the process is going to be
disqualified and this is exclusively at
this point our own responsibility and
nobody else okay the storage we already
know that gain of custody is one of the
most important component there are
multiple forms depending of the state in
which you live and the countries as well
that you have to follow anything if you
miss a check mark or if you put a check
mark on those particular forms you are
basically dismissing you the case you
intentionally the court doesn't work in
the way many of us believe okay we have
the possibility to put somebody in the
electric share or to release to provide
to this particular individual or
organization what we said is relevant
okay this is very important the brift
you always have to be in Comm
communication with all parties both the
one presenting the digital process or
ruling the process and the other part as
well you cannot hide anything Zero from
your opponents in the court of law or
for the defendant part never in your
life this is why the first bullet in the
whole presentation was as you may
remember ethics okay in digital forensic
we provide what we known to the other
parties as well even to the defendant to
the opponents every single time no
exception and we provide every single
artifact with the most clear possible
explanation to the opponents this is how
the digital forensic process work
otherwise it will be dismissed as well
in the court steing you have to make
sure that every single piece of digital
evidence is
properly still then that you follow the
process by the book again if you Skip
One Step just one out of 100 or 200s
depending of the case the case is going
to be this measure no exceptions the Cod
goes by the book as you can imagine and
your opponent is going to be very
attentive to to the minimum possible
failure to dismiss the case okay so how
you transport the data from one place to
the other place chain of custody this is
the key component chain of custody data
encryption you have to make sure that
you prevent or actually Pro prevent a
Integrity manipulation and you always
want to meure the confidentiality of the
data CIA we already talked about the
component confidentiality Integrity
availability from the digital forensic
standpoint the most important no
exception is integrity and also the
confidentiality okay so from the
recovery image standpoint you always
want to have a duplicate for validation
and reanalysis and remember that you
always want to work with a copy of the
digital evidence 100% of the time no 9
you have to preserve the original
evidence this is part of our
responsibility and this is why we do bit
by bit analysis and bit by bit copy it's
complex okay now a specific step in
digital forensics to analyze the
collected data at this point you already
went through multiple process and spent
a lot of time how do you analyze the
data you have because you are going to
have probably terabytes of data okay
well you have to make sure that hashing
and TS digital signatures and the chain
of custody have been followed data
priorization what happens and what is
more relevant you cannot present in the
court two terabytes of data or 2,000
Pages this is Irrelevant for the case
okay you have to make sure that you use
keywords in order to provide a solid
report to the court for this particular
case for the keywords artificial
intelligence have been proven to me that
is of huge help file caring you have to
use a specialized tool to recover files
that may been deleted or you
intentionally hiting timeline analysis
we talk about you have to do everything
by following a particular sequence of
activities in other words you have to
present and do the analysis in
chronological order in the way that you
collect the data this is the exact way
you do the analysis and later you do
correlation okay but you have to follow
a particular chronological order data
recovery you have to do your best to
reconstruct the data that have been
deleted or probably damaged even by a
physical or electronic condition in the
storage media the metadata analysis is
also complex okay this is the next
component after the time the timeline
analysis metadata includes multiple kind
of data so this part of the analysis is
going to be complete colle and more time
consuming than the data collection and
the data collection is already very time
consuming content analysis you have to
be very careful because this is
basically what the forensic analysis is
going to be parent recognition how you
can match one bit of data with another
bit okay is there any association
between bits between bites between data
between words this is a iCal
component communication analysis again
you want to make sure that you include
everything emails today are probably the
most relevant component of digital
forening analysis you wants to make sure
that you master email analysis as well
data encryption you always have to keep
in mind the confidentiality and when we
are talking about the recovery or the
recovery image I mentioned that as well
similar to the chain of custody before
because you always have to pres the
digital the original data evidence
examination you want to make sure that
you verify the Integrity of the data you
have been acquiring including hash value
digital signature and the chain of
custodies we talk about this already
this is a repeat of the slide by the way
okay so database examination and you
foring a duplicate slide so this slide
is the same to this okay so my apology
for that it's my fault data database
examination investigate databases for
valueable valuable information including
structure data and locks entries Etc
media analysis this is a very complex
process because it's usually about atigo
or include testigo and this is about
image videos audios geolocation in
digital signatures Network traffic
analysis tools as why the Shar h but my
suggestion is that you use all the tools
that are part of the artificial
intelligence applications we can use
today and are available in the
market estigo is always complex okay
because stigo include not only image but
in many cases audio as well and this is
very complex time consuming you always
wants to make sure that you use the
appropriate estigo analysis techniques
and that are multiple specific for
volatile analysis as I mentioned before
there is multiple ways to do
data acquisition from RAM memory when we
turn off the computer all the data from
Ram doesn't goes off this is what
everybody said this is what Google said
this is what people that never do
forensic investigation repeat this is
not appropriate if you know how to do it
and again I make the presentation for e
councel in 2019 if you Google my name in
this presentation you will be able to
find a particular video in which I was
able to recover data from RAM memory
after the computer was took down took
down believe it or not go for the other
presentation that this is DC councel
database and you will be able to see the
video okay comparison you have to do
cross reference every single time to
make sure that the data you identify is
appropriate and you always identify
identity deviations and
inconsistency before you do the final
report I told you already when you
present the report in the court of law
and minimum mistake something minimum
will be disqualified in the case for
example in this presentation I include
IED by mistake this slide and this slide
if I do that in the in the court of flow
is
dismiss okay that's it it's no more
conversation the emotion analysis we
have talk about that we are talking
about persons digital evidence is always
related to people in process processes
applications Hardware software so we
want to make sure that what we present
is accurate and from the documentation
at some point it was the second point in
the presentation we have to document
everything reporting is about compiling
in a clear and comprehensive manner
including summaries methodologist and
supporting evidence you have to include
or at least in my case I always include
the recordings of everything I do
everything means even if I open my
personal email or if a notification come
to my computer and I open something in
my my in my WhatsApp for example this is
part of the recording as well okay so
you have to make sure that you provide
an expert testimony in order to do that
you have to be an expert in digital
currency Feer review consult with other
with your partners with the opponent
with the defendant part before you
present it's not that you are going to
modify to report because the defendant
doesn't like it this is not what I'm
telling you it's just that you are going
to provide the report and by the way you
must provide the report to the defendant
before you go to the Court by the time
you stand up in the court everything
needs to be done the other part need to
know exactly what you are going to
present this is how the legal systems
work okay with deceptions of very few
countries but in the world this is how
it work so the quality assurance is just
making sure that what you present is
appropriate the case management is how
you use the digital forensic and manage
system to track everything in analysis
process and from the data privacy
compliance I told you already every
single place every single City every
single state operate under different
conditions popular tool for digital
forensic few of those in Cas
autopsy Access Data everybody know how
is a forensic tool kit hway forensic
celebrity vola volatility wi sh
everybody most likely know oxygen
forensic detective and the digital
evidence and forensic tool kit so some
of those are included in Cali others do
not some are open source others are
extremely expensive for example in case
which is very very expensive some
relevant reference about digital
forensic I prefer to use keywords and
not particular reference or books
because I don't recommend any specific
book instead the combination of content
and knowledge and expertise but some
words or key words you can use if you
want to expand more in digital forensic
are digital forensic best practice
challenge iMobile digital forensic
Network forensic techniques Cloud
forensic investigations Internet of
Things forensic memory forensic analysis
because you want to stop repeating what
you have been learning for years when
you took down the computer with the
computer is turn it
off and there is a lot of data that
remains in r memory for a particular
amount of time of course okay so try to
expand on this topic malware analysis in
digital forensic and cyber security and
digital forensic Trends those are
keywords that will be facilitating your
expansion or you expanding on digital
forensic knowledge other
considerations are some particular
journals okay I in this case I'm going
to risk and recommend the digital
investigation that is published by xier
is one of the top in the world the other
one is the Journal of digital forensic
security and law and forensic science
International digital investigation
report I'm open to any question you may
have and one more time I want before I
close my lips I want to sincerely thank
you EC Council for another opportunity
to talk about this fascinating topic
thank you very much for all the staff in
the e Council that work tily who made
this presentation a possibility and
thank you so much as well for you guys
attending the conf the conference and
for the questions that you may
ask thank you very much Dr Lewis for
such an insightful and informative
session that was really a very
interesting webinar and we hope it was
worth your time too now now before we
begin with the Q&A I would like to
inform all the attendees that EC
council's CH maps to the forensic
investigator and the consultant digital
forensics anyone with the chfi
certification is eligible for 4,000 plus
job vacancies globally with an average
salary of
$95,000 if you're interested to learn
more andly take part in the poll that's
going to be conducted now let us know
your preferred mode of training and we
will reach out to you
soon
uh Dr L shall we start with the
Q&A yes I'm ready
for okay our first question is how to
prove in court of law that the collected
evidence is from the same object and not
collected from any other
object this is a very important question
I really appreciate the clarification on
this topic as I said we have to be very
careful about the way we collect the
data when we are talking about objects
objects are associated to bits not to
bikes only but Bits And as I mention
multiple times when we do the copy of
the original data we want to make sure
that we always do bit by bit when you do
bit by bit and not B by B because a bit
implies up to 3.4 volts in electricity
we are eliminating the possibility of
mistake objects are bigger a bit do not
constitute an object objects are formed
by multiple bits this is why we have to
do the analysis bit by bit and I
mentioned that multiple
times thank you for answering that
question our next question is what kind
of forensic data can we obtain from the
encrypted data where the key is not
available to decrypt the
data could you please repeat the
question what kind of forensic data can
be obtained from the encrypted data
where the key is not available to
decrypt the
data you encryp
data uh I'll just P the question to you
on chat uh Dr
Ls I'm not watching the chat right now
something happened
I'm not watching the
shat sorry H long hello hello hello can
you hear
me yes I can hear you yes I have posted
the question on the chat Dr leis okay
okay please yes I have already pasted
okay let me check
here
okay give me a second okay what kind of
forensic data can be obtained from
encrypted data oh okay okay well this is
another misperception okay everybody
knows that when the data is encrypted we
cannot open the data or the particular
file document video any kind of Digital
forening Data let me tell you something
there are multiple forensic tools that
have the ability to decrypt the data
even when we don't have the key this and
I understand the key component and I
understand that the two type of
encryptions symmetric and asymmetric and
as I said I have multiple Publications
about
encryption ER but there is most likely
always the possibility to encrypt data
without having the encryption key I
understand that it doesn't sounds
popular it's not what we hear every
single time but when we spend specialize
on digital forensic we have usually the
tools we need to decrypt the data
especially if you are using artificial
intelligence also in the government at
least in the US government in my
operation in the operation I direct I
handle I supervise we are using
artificial intelligence for multiple
things in cyber security since
2017 and we are also using Quantum
Computing Quantum Computing is not not
coming quantum computer is in use in the
US government for years now so we are
using Quantum Computing for years there
are multiple ways to decrypt the data
when the encryption key is not available
multiple ways multiple applications as
well that help with the process it's
very time consuming but there is a
possibility for that and this is a great
question because the question is okay
how about the hard drive is encrypted
there is nothing that I can do right no
this is not like that there is always
ways to decrypt the data always it
doesn't matter how strong the encryption
is but you need to have the appropriate
tools of place for example I'm going to
mention just one in case when I present
this some tools that I suggest before I
said that in case is very expensive in
case do magic between quotation man in
case do multiple things that we don't
learn in the school
okay so I can see the other question
here how to adapt to investigation in
the cloud since the clouds provided do
not allow most of important operation to
access media when you have to do a case
or conduct digital forensic in the cloud
the cloud providers 99% of the time I
don't want to say 100 because I don't
want to risk on that but usually the
cloud providers include in the SLA in
the service level agreement what is
going to happen if a digital forensic or
any kind of Investigation needs to do
needs to be performed in the cloud space
so most likely the cloud operator is
going to facilitate access to everything
you need sometime you have to move and
go physically to the place in which the
data is
host don't believe that the cloud
provider doesn't know where the data is
host we know where the data is host
specifically I have been in San Diego
California and another States in Hawaii
back in
2019 as well doing forensic
investigation in a cloud environment it
was actually for something government
related and I was given the permission I
need to do any kind of Investigation so
Cloud providers facilitate forensic
analysis because forensic analysis are
usually related to legal cases there are
multiple cases in which in USA we don't
have access to this data and I'm going
to mention an example Tik Tok Tik Tok
the problem between the US government
and Tik Tok is that when Tik Tok get the
authorization to operate in USA the
government was one step behind behind
Okay and we don't regulate Tik Tok at
this point Tik Tok has the ability to
prevent forensic investigation in the
Tik Tok platforms for the US government
cour system or legal system okay but
again usually Cloud providers facilitate
investigation in the cloud 100% they
cooperate in every single manage they
have to facilitate the forensic
investigation thank you for answering
that question uh we'll take last
question for the day uh what is the best
open source free tools for social media
forensics there is no best open source
tool that is a combination of tools
number one digital forensic cannot be
performed categorically speaking with
one or two tools this is a complex time
consuming and expensive process I made
some suggestions it's included in the
slide ER let me see a slide
slide
number
16 okay this is the slide in which I
include in case autopsy the S some of
them are upper cases as I I'm sorry open
source as I mentioned before but there
is not a particular tool or two or three
tools that I will recommend because in
top of that every single forensic
investigation is about the different
process you cannot use the similar tools
this is why there are very at least in
USA very small amount of organizations
companies that specialize in digital
forensic as my company does the reason
why is because between many other things
lack of expertise and
expenses okay so I do not recommend a
particular tool instead the combination
of tools there are multiple open source
I mention a few in a slide number 16 of
my PowerPoint presentation but again
those are not sufficient those are the
most popular and
strong ER more accurate uh tools that
you can use for digital forensic but a
particular tool one or two to do
forensic investigation it doesn't exist
is impossible
doesn't thank you again to our wonderful
speaker Dr Lewis for answering those
questions and for the great presentation
and knowledge shared with our Global
audiences it was a pleasure to have you
with us and we are looking for more and
more sessions with you before we
conclude the webinar Dr LS would you
like to give a small message to our
audiences
please well no just want to thanks
everybody again the one that work
tiously behind the presentation to you
in e Council as always thank you very
much for the support for all the
attendees I hope you learn something new
let me clarify that every single content
wording words Etc that I have been
presenting for you is my original
creation 100% not
99.99 but 100% categorically speaking
and I put together those notes and
reflection for you guys with the hope
that you can come back to your
organization and ser better that you can
become a public servant
ER and go to the court and testify in
favor of the park that deserve your
benefits and I sincerely thank you for
the opportunity to share my expertise
with you guys have a nice weekend okay
thank you very much for the time in
question thank you so
much thank you so much Dr Louis for your
message before we end the session I
would like to announce the next cyber
talk session why are strong foundational
cyber securities skills essential for
every IT professional which is scheduled
on November 8 2023 this session is an
export presentation by Roger Smith
director car Managed IT industry fellow
at Australian Defense Force Academy to
register for this session please do go
visit our website
www.ccu.edu cybert talks the link is
given in the chat section hope to see
you all on November 8th with this VN the
session with this you may disconnect
your lines thank you thank you so much
Dr leis pleasure having you
likewise thank you very much for the
opportunity thank you have a good day