0:00:00.080,0:00:02.199
Hello, everyone, and welcome to today's

0:00:02.199,0:00:05.720
session on digital forensics: best practices

0:00:05.720,0:00:08.519
from data acquisition to analysis. I'm

0:00:08.519,0:00:10.519
Shilpa Goswami, and I'll be your host

0:00:10.519,0:00:13.440
for the day. Before we get

0:00:13.440,0:00:16.000
started, we would like to go over a few

0:00:16.000,0:00:18.039
house rules for our attendees. The

0:00:18.039,0:00:20.439
session will be in listen-only mode and

0:00:20.439,0:00:23.439
will last for an hour, of which the

0:00:23.439,0:00:26.160
last 15 minutes will be dedicated to Q&A.

0:00:26.160,0:00:28.039
If you have any questions during the

0:00:28.039,0:00:30.519
webinar, for our organizers or

0:00:30.519,0:00:34.200
speakers, please use the Q&A window. Also, if you

0:00:34.200,0:00:36.440
face any audio or video challenges, please

0:00:36.440,0:00:38.000
check your internet connection or you

0:00:38.000,0:00:40.879
may log out and log in again. An

0:00:40.879,0:00:43.640
important announcement for our audience:

0:00:43.640,0:00:46.039
we have initiated CPE credit

0:00:46.039,0:00:48.600
certificates for our participants. To

0:00:48.600,0:00:51.480
qualify for one, attendees are required

0:00:51.480,0:00:54.440
to attend the entire webinar and then

0:00:54.440,0:00:59.110
send an email to cyber talks at eccouncil.org,

0:00:59.110,0:01:00.879
after which our team will

0:01:00.879,0:01:04.159
issue the CPE certificate. Also, we would

0:01:04.159,0:01:06.320
like to inform our audience about the

0:01:06.320,0:01:08.759
special handouts. Take a screenshot of

0:01:08.759,0:01:11.400
the running webinar and post it on your

0:01:11.400,0:01:14.640
social media, LinkedIn or Twitter, tagging

0:01:14.640,0:01:18.439
EC Council and Cyber Talks. We will

0:01:18.439,0:01:21.159
share free handouts with the first 15

0:01:21.159,0:01:23.880
attendees. As a commitment to closing the

0:01:23.880,0:01:26.880
cybersecurity workforce gap by creating

0:01:26.880,0:01:30.360
multi-domain cyber technicians, EC Council

0:01:30.360,0:01:34.720
pledges $3,500,000 towards ECT

0:01:34.720,0:01:37.079
Education and Certification Scholarships

0:01:37.079,0:01:40.159
to certify approximately 10,000 cyber

0:01:40.159,0:01:42.880
professionals ready to contribute to the

0:01:42.880,0:01:44.840
industry. Did you know that you can be

0:01:44.840,0:01:46.439
part of the lucrative cybersecurity

0:01:46.439,0:01:49.640
industry? Even top companies like Google,

0:01:49.640,0:01:53.920
Microsoft, Amazon, IBM, Facebook, and Dell

0:01:53.920,0:01:56.240
all hire cybersecurity professionals.

0:01:56.240,0:01:58.520
The cybersecurity industry has a 0%

0:01:58.520,0:02:00.439
unemployment rate. The average salary

0:02:00.439,0:02:02.320
for an entry-level cybersecurity job is

0:02:02.320,0:02:05.240
about $100,000 per year in the United

0:02:05.240,0:02:07.280
States. Furthermore, you don't need to

0:02:07.280,0:02:09.679
know coding, and you can learn from home, and

0:02:09.679,0:02:11.280
you get a scholarship to kick-start your

0:02:11.280,0:02:14.920
career. Apply now. EC Council is pledging

0:02:14.920,0:02:19.469
a $3,500,000 CCT scholarship for cybersecurity

0:02:19.469,0:02:20.920
career starters. Scan the QR

0:02:20.920,0:02:22.319
code on the screen to apply for the

0:02:22.319,0:02:25.121
scholarship. Fill out the form.

0:02:31.519,0:02:33.800
Now, about our

0:02:33.800,0:02:38.040
speaker Dr. Luis. Dr. Luis Noguerol is the

0:02:38.040,0:02:40.360
Information Systems Security Officer for

0:02:40.360,0:02:43.599
the U.S. Department of Commerce, NOAA,

0:02:43.599,0:02:45.440
where he oversees the cybersecurity

0:02:45.440,0:02:47.080
operation for six states in the

0:02:47.080,0:02:49.920
Southeast Region. Dr. Luis is also the

0:02:49.920,0:02:51.920
President and CEO of the Advanced

0:02:51.920,0:02:54.440
Division of Informatics and Technology,

0:02:54.440,0:02:57.920
Technology INC, a company that focuses on

0:02:57.920,0:03:01.040
data recovery, digital forensics, and

0:03:01.040,0:03:03.480
penetration testing. He is a world-renowned

0:03:03.480,0:03:05.519
expert in data recovery, digital

0:03:05.519,0:03:08.239
forensics, and penetration testing. He

0:03:08.239,0:03:10.879
holds multiple globally recognized

0:03:10.879,0:03:13.420
information technology and cybersecurity

0:03:13.420,0:03:15.080
certifications and accreditations

0:03:15.080,0:03:17.120
and is the recipient of multiple awards

0:03:17.120,0:03:19.480
in technology, cybersecurity, and

0:03:19.480,0:03:22.640
mathematics. He currently serves pro bono as

0:03:22.640,0:03:25.040
an editorial board member and reviewer for the

0:03:25.040,0:03:27.239
American Journal of Information Science

0:03:27.239,0:03:29.760
and Technology, and is a member of the

0:03:29.760,0:03:31.920
prestigious high-edging professor program for

0:03:31.920,0:03:34.159
undergraduate and graduate programs at

0:03:34.159,0:03:36.720
multiple universities in the U.S. and as a

0:03:36.720,0:03:38.920
reviewer for the doctoral program at the

0:03:38.920,0:03:42.239
University of Karachi in Pakistan. He is

0:03:42.239,0:03:44.400
the author of multiple cybersecurity

0:03:44.400,0:03:47.589
publications and articles, including Cybersecurity

0:03:47.589,0:03:49.519
Issues in Blockchain: Challenges and

0:03:49.519,0:03:52.200
Possible Solutions. He is also one of

0:03:52.200,0:03:54.200
the co-authors and reviewers of the

0:03:54.200,0:03:56.840
worldwide acclaimed book, Intrusion

0:03:56.840,0:03:58.680
Detection Guide.

0:03:58.680,0:04:01.280
Prior to obtaining his doctorate

0:04:01.280,0:04:02.799
degree in Information Systems and

0:04:02.799,0:04:04.640
Technologies from the University of

0:04:04.640,0:04:08.040
Phoenix, Dr. Luis earned a Bachelor's in

0:04:08.040,0:04:11.599
Science and Radio Technical and

0:04:11.599,0:04:14.159
Electronic Engineering, a

0:04:14.159,0:04:15.439
Bachelor of Science in

0:04:15.439,0:04:17.680
Telecommunications and Networking, and a

0:04:17.680,0:04:19.519
Master of Science in Mathematics and

0:04:19.519,0:04:20.600
Computer Science.

0:04:20.600,0:04:22.840
Without any further delay, I will

0:04:22.840,0:04:25.759
hand over the session to you, Dr. Luis.

0:04:25.759,0:04:29.030
Thank you very much. Thanks. Okay.

0:04:29.840,0:04:32.960
Good morning, everybody. Good afternoon, and

0:04:32.960,0:04:35.440
good night, depending on the specific

0:04:35.440,0:04:38.440
area in which you reside. We are going to

0:04:38.440,0:04:40.479
have an interesting conversation today

0:04:40.479,0:04:42.479
about digital forensic best practices

0:04:42.479,0:04:44.479
from data acquisition to analysis. This

0:04:44.479,0:04:47.280
is the title of the presentation or

0:04:47.280,0:04:50.720
subject, and I’m more than happy to be

0:04:50.720,0:04:52.680
here with you all and share some of

0:04:52.680,0:04:57.759
my expertise. So, let's go ahead and start the conference,

0:04:57.759,0:05:00.720
okay? She already mentioned

0:05:00.720,0:05:02.520
some of my credentials.

0:05:02.520,0:05:05.790
I have been working in cybersecurity

0:05:05.790,0:05:08.759
at this point for over 41 years.

0:05:08.759,0:05:11.600
This is in my DNA, a topic that I didn’t

0:05:11.600,0:05:14.280
like and respect as much as I cannot

0:05:14.280,0:05:17.280
talk about any other topic in my life.

0:05:17.280,0:05:20.840
Before we go, I have here a statement that

0:05:20.840,0:05:23.680
I put together for you, okay? Digital

0:05:23.680,0:05:26.440
forensic best practices. Well,

0:05:26.440,0:05:28.720
consideration number one: just to break

0:05:28.720,0:05:31.360
the ice in the labyrinth of

0:05:31.360,0:05:35.479
cyberspace, where shadows dance through encased

0:05:35.479,0:05:38.360
passages and data whispers its secrets, the

0:05:38.360,0:05:41.600
digital detective emerges. This is us, the

0:05:41.600,0:05:44.479
digital forensic experts. Clad in lines of

0:05:44.479,0:05:47.880
code and armed with algorithms, we seek

0:05:47.880,0:05:51.919
the hidden treasures of truth and

0:05:51.919,0:05:55.080
solving enigmatic cybercrimes. With a visual

0:05:55.080,0:05:58.080
magnifying glass, this is what we do: we

0:05:58.080,0:06:01.120
dissect the digital tapestry,

0:06:01.120,0:06:03.800
unveiling the footprints of elusive

0:06:03.800,0:06:07.960
cyber cultures. This is what cyber forensics, or

0:06:07.960,0:06:11.400
digital forensics, is about. Each keystroke and

0:06:11.400,0:06:14.039
pixel holds a clue, something that we can

0:06:14.039,0:06:18.360
use in our favor. And in this mesmerizing

0:06:18.360,0:06:23.080
world of the digital era, ones and zeros,

0:06:23.080,0:06:25.919
the art of digital forensics is about

0:06:25.919,0:06:28.960
finding the secret of the digital reality. Digital

0:06:28.960,0:06:33.599
forensics is about finding evidence

0:06:33.599,0:06:36.360
that can lead to a particular process. It

0:06:36.360,0:06:38.639
can be a legal process, or it can be any

0:06:38.639,0:06:41.120
other kind of process. But what is

0:06:41.120,0:06:44.199
digital forensics from my point of view?

0:06:44.199,0:06:47.120
Well, I mentioned earlier that I've

0:06:47.120,0:06:50.039
been working in cybersecurity for 41 years.

0:06:50.039,0:06:52.720
My specialties are in penetration

0:06:52.720,0:06:55.120
testing, data recovery, and digital forensics.

0:06:55.120,0:06:57.039
I’ve been working for the

0:06:57.039,0:06:59.400
police department in multiple places

0:06:59.400,0:07:02.879
doing digital forensics for them. So I try to

0:07:02.879,0:07:06.080
put together an easy definition for you from my

0:07:06.080,0:07:08.360
standpoint about what digital forensics

0:07:08.360,0:07:11.720
is. Digital forensics investigates digital

0:07:11.720,0:07:15.000
devices and electronic data to use as

0:07:15.000,0:07:17.639
evidence. Please note that I don’t say

0:07:17.639,0:07:20.919
electronic information; I use the word "data"

0:07:20.919,0:07:24.199
intentionally to understand digital events

0:07:24.199,0:07:27.759
and trace illicit activities. This is a key

0:07:27.759,0:07:30.759
component of digital forensics. Normally

0:07:30.759,0:07:33.879
speaking, digital forensics happens, of

0:07:33.879,0:07:37.160
course, after the facts, and the idea of

0:07:37.160,0:07:40.759
digital forensics is identifying traces,

0:07:40.759,0:07:43.639
okay, that lead to particular data that

0:07:43.639,0:07:45.840
we can gather together and make a

0:07:45.840,0:07:49.039
conclusion. It involves the systematic

0:07:49.039,0:07:51.759
collection, preservation, analysis, and

0:07:51.759,0:07:54.360
presentation of digital evidence in

0:07:54.360,0:07:56.520
legal proceedings. This is key

0:07:56.520,0:07:59.440
today because we are technology-dependent,

0:07:59.440,0:08:02.000
and there are multiple states,

0:08:02.000,0:08:05.199
at least in the USA and some other countries,

0:08:05.199,0:08:07.440
where digital forensics is still in

0:08:07.440,0:08:10.280
limbo because it's not accepted in the

0:08:10.280,0:08:13.199
court of law. Okay. So, this is very

0:08:13.199,0:08:16.159
important to keep in mind. What are we

0:08:16.159,0:08:18.360
going to do from the digital forensics

0:08:18.360,0:08:20.800
standpoint, the data collection process,

0:08:20.800,0:08:23.319
and the analysis? Digital forensics

0:08:23.319,0:08:25.639
experts use specialized techniques and

0:08:25.639,0:08:29.280
tools to extract data from computers,

0:08:29.280,0:08:32.399
smartphones, networks, and digital storage

0:08:32.399,0:08:34.958
media to support investigations and

0:08:34.958,0:08:37.559
resolve legal matters. So this is

0:08:37.559,0:08:40.559
basically what digital forensics is

0:08:40.559,0:08:42.839
about. Let's go ahead and start with the

0:08:42.839,0:08:45.720
technical part, which is the topic I like

0:08:45.720,0:08:49.440
most. Okay, let's talk about those

0:08:49.440,0:08:51.519
30 best practices that I’ve put

0:08:51.519,0:08:53.680
together for you. At the end of the

0:08:53.680,0:08:55.200
presentation, you will have the

0:08:55.200,0:08:57.839
opportunity to ask as many questions as

0:08:57.839,0:09:01.079
you like. 1. You have to

0:09:01.079,0:09:03.760
follow the legal and ethical standards:

0:09:03.760,0:09:06.360
For this particular first point, I am not

0:09:06.360,0:09:08.680
going to make any comment. I believe that

0:09:08.680,0:09:12.279
ethics is a key component

0:09:12.279,0:09:14.959
of cybersecurity. We always

0:09:14.959,0:09:18.360
have to follow the rules. We must always

0:09:18.360,0:09:21.120
follow the legal procedures in the

0:09:21.120,0:09:24.079
places in which we operate because every

0:09:24.079,0:09:26.640
single place is a different component.

0:09:26.640,0:09:30.640
2. Understand the original evidence:

0:09:30.640,0:09:33.240
This is key. Okay. You always have to

0:09:33.240,0:09:35.480
maintain the integrity of the original

0:09:35.480,0:09:38.320
evidence to ensure it is admissible in

0:09:38.320,0:09:42.279
court. Any kind of manipulation

0:09:42.279,0:09:46.240
or modification will result in

0:09:46.240,0:09:48.880
disqualification from the court system.

0:09:48.880,0:09:50.920
Document everything: This is something

0:09:50.920,0:09:52.839
that technical people like me don’t

0:09:52.839,0:09:56.240
like too much, but when it comes to

0:09:56.240,0:09:58.880
digital forensics, we have to document

0:09:58.880,0:10:01.240
every single step we take. We have to

0:10:01.240,0:10:04.360
record all the steps we

0:10:04.360,0:10:07.360
follow, and we want to make sure that

0:10:07.360,0:10:09.760
everything is documented and recorded in

0:10:09.760,0:10:13.120
a specific chronological order. This is

0:10:13.120,0:10:16.160
a key component for digital

0:10:16.160,0:10:19.079
forensics or investigations to be accepted

0:10:19.079,0:10:22.760
in the court of law. Secure the scene:

0:10:22.760,0:10:25.600
It’s not just physical

0:10:25.600,0:10:27.880
crime scenes that need to be secured to prevent

0:10:27.880,0:10:29.920
contamination or tampering.

0:10:29.920,0:10:33.399
If you present anything in court and

0:10:33.399,0:10:35.279
the opposing party

0:10:35.279,0:10:38.040
has the ability to prove that

0:10:38.040,0:10:40.440
something was not preserved, the

0:10:40.440,0:10:43.440
conversation is over. Chain of custody:

0:10:43.440,0:10:45.279
I’m going to repeat this more than

0:10:45.279,0:10:48.399
once during the presentation. Sorry.

0:10:48.399,0:10:51.600
Chain of custody refers to how you

0:10:51.600,0:10:53.160
establish and maintain

0:10:53.160,0:10:56.240
the evidence and the process

0:10:56.240,0:10:58.839
that facilitates how the

0:10:58.839,0:11:02.000
tracking process is handled. Use-Write-

0:11:02.000,0:11:04.040
Blocking Tools: This is another key

0:11:04.040,0:11:07.480
component of digital forensics. It means

0:11:07.480,0:11:10.120
that you have to use the appropriate

0:11:10.120,0:11:12.399
hardware and software that allow for

0:11:12.399,0:11:14.360
write blockers when you are collecting

0:11:14.360,0:11:17.800
data to prevent alteration. There are a

0:11:17.800,0:11:20.240
set of tools you can use, and at the end

0:11:20.240,0:11:22.440
of the presentation, I’m going to provide

0:11:22.440,0:11:25.880
you with a specific set

0:11:25.880,0:11:29.990
of tools you can use as write-blocking

0:11:29.990,0:11:32.560
tools. Verify hashing or hash

0:11:32.560,0:11:35.920
values. This is how you calculate and compare

0:11:35.920,0:11:38.880
hash values to verify the data's integrity.

0:11:38.880,0:11:41.480
There is often confusion about integrity,

0:11:41.480,0:11:44.240
confidentiality, and availability. In

0:11:44.240,0:11:46.519
digital forensics, the most important

0:11:46.519,0:11:49.639
component is integrity. It means that we

0:11:49.639,0:11:52.560
must make every effort to

0:11:52.560,0:11:55.040
ensure that the data is not modified in

0:11:55.040,0:11:58.079
any possible way, from the time we

0:11:58.079,0:11:59.560
arrive at the scene

0:11:59.560,0:12:02.440
to the time we present the evidence

0:12:02.440,0:12:05.560
in court and even after that as well. So

0:12:05.560,0:12:08.839
other component is Collect volatile data

0:12:08.839,0:12:12.600
first. Okay, this obviously makes perfect

0:12:12.600,0:12:15.800
sense. You have to prioritize this

0:12:15.800,0:12:18.399
type of data collection as it can be

0:12:18.399,0:12:20.480
lost or modified when the system is

0:12:20.480,0:12:23.279
powered down. For many of you, what I’m

0:12:23.279,0:12:25.120
going to tell you may

0:12:25.120,0:12:28.399
sound not appropriate, and this is the

0:12:28.399,0:12:30.240
following assessment:

0:12:30.240,0:12:34.320
we've been told from the time we

0:12:34.320,0:12:36.880
arrived at school and even at work

0:12:36.880,0:12:45.360
that information or data in random access memory (RAM) disappears when the

0:12:45.360,0:12:50.840
computer is shut down. Back in 2019,

0:12:50.840,0:12:53.040
I made a presentation similar to

0:12:53.040,0:12:55.199
this one for this account, in

0:12:55.199,0:12:58.279
which I proved that the data in RAM

0:12:58.279,0:13:01.320
can be recovered. Okay. So, what we have been

0:13:01.320,0:13:03.920
learning in multiple places, and what you can

0:13:03.920,0:13:06.959
easily find on Google, that data in RAM

0:13:06.959,0:13:09.120
is lost when

0:13:09.120,0:13:11.600
computers are powered down, is not

0:13:11.600,0:13:14.880
exactly correct. The other component is

0:13:14.880,0:13:17.360
Forensic image. You have to create a

0:13:17.360,0:13:19.920
forensic image of storage devices to

0:13:19.920,0:13:22.560
work with copies. You must always

0:13:22.560,0:13:25.440
present the original evidence. This is a

0:13:25.440,0:13:30.040
requirement in the court of law. You must

0:13:30.040,0:13:32.880
present the original evidence every single

0:13:32.880,0:13:35.320
time. The other component is the Data

0:13:35.320,0:13:38.600
recovery. Data recovery is closely

0:13:38.600,0:13:41.639
associated with digital forensics for

0:13:41.639,0:13:43.800
obvious reasons. Okay. You have to

0:13:43.800,0:13:46.639
employ specialized tools to recover

0:13:46.639,0:13:51.399
deleted or hidden data. This is also

0:13:51.399,0:13:53.800
something to keep in mind. At the end,

0:13:53.800,0:13:56.199
I'm going to provide some specific

0:13:56.199,0:13:58.440
applications you can use to do data

0:13:58.440,0:13:59.580
recovery.

0:14:00.040,0:14:02.959
Timeline analysis: You must construct

0:14:02.959,0:14:06.160
and analyze timelines to understand the

0:14:06.160,0:14:09.399
sequence of events. What happened first? The

0:14:09.399,0:14:12.560
chronological order is a mandatory

0:14:12.560,0:14:14.720
requirement in the court of law. You

0:14:14.720,0:14:17.000
cannot present evidence in court

0:14:17.000,0:14:19.639
in a random manner. You have to

0:14:19.639,0:14:22.440
follow the specific chronological order.

0:14:22.440,0:14:25.240
The other consideration is Preserving

0:14:25.240,0:14:28.079
the metadata. Ensure metadata integrity

0:14:28.079,0:14:30.680
to verify results, timing, and

0:14:30.680,0:14:33.759
authenticity of the digital artifacts you

0:14:33.759,0:14:36.480
are going to present in the court of law.

0:14:36.480,0:14:39.839
Use known good reference data: This

0:14:39.839,0:14:42.240
means you have to compare the

0:14:42.240,0:14:44.759
collected data with known

0:14:44.759,0:14:46.800
good reference data to identify

0:14:46.800,0:14:50.600
anomalies, specific patterns, and

0:14:50.600,0:14:53.839
statistical processes. Many times, you have

0:14:53.839,0:14:57.079
to do this as well. Antiforensic

0:14:57.079,0:14:59.800
awareness: You have to be aware of the

0:14:59.800,0:15:03.079
antiforensic techniques in use.

0:15:03.079,0:15:05.920
There are multiple applications

0:15:05.920,0:15:09.360
that work against digital forensics. So,

0:15:09.360,0:15:11.959
you must be aware of that. Before

0:15:11.959,0:15:14.959
you start digital forensics analysis,

0:15:14.959,0:15:21.519
while working on the data collection

0:15:21.519,0:15:24.040
process, you want to make sure you

0:15:24.040,0:15:27.199
don't have any anti-forensic

0:15:27.199,0:15:30.000
tools or applications installed on the

0:15:30.000,0:15:33.079
particular host or hosts in which you are

0:15:33.079,0:15:35.560
going to conduct the investigation. Another

0:15:35.560,0:15:38.830
very important component is Cross-validation.

0:15:38.830,0:15:41.399
This is what brings actual

0:15:41.399,0:15:45.079
reputation and respect to the data you

0:15:45.079,0:15:48.639
are presenting in the court of law. Okay?

0:15:48.639,0:15:51.160
So the standard operating procedures are a

0:15:51.160,0:15:54.520
very important component that is oftentimes

0:15:54.520,0:15:56.279
overlooked, and it's about

0:15:56.279,0:15:59.279
developing and following SOPs that

0:15:59.279,0:16:02.399
maintain consistency. This is

0:16:02.399,0:16:04.959
why documentation is key, and it was

0:16:04.959,0:16:07.560
presented in slide number one. Training

0:16:07.560,0:16:10.800
and certification are also important components, and

0:16:10.800,0:16:12.639
this is relevant. The reason why it's

0:16:12.639,0:16:15.279
relevant is that I understand you can learn

0:16:15.279,0:16:18.639
many things by yourself. This is becoming

0:16:18.639,0:16:21.759
more popular as we become more

0:16:21.759,0:16:24.680
technology-dependent. This is normal

0:16:24.680,0:16:27.639
and expected, but certifications still

0:16:27.639,0:16:30.800
hold particular value. There are

0:16:30.800,0:16:33.279
multiple questions in certification

0:16:33.279,0:16:37.539
exams, in general terms, not only in EC-Council

0:16:37.539,0:16:39.839
certifications or others, in which,

0:16:39.839,0:16:42.240
most likely, if you don't go through the

0:16:42.240,0:16:44.720
certification process, you will never

0:16:44.720,0:16:47.319
find out. And this is what

0:16:47.319,0:16:49.759
some people say: "Well, this is

0:16:49.759,0:16:52.800
theoretical information." Digital forensics

0:16:52.800,0:16:55.759
involves a lot of theoretical information--

0:16:55.759,0:16:58.040
A LOT. Remember that we are doing the

0:16:58.040,0:17:01.199
analysis at a low

0:17:01.199,0:17:04.839
level, from the technical standpoint. So

0:17:04.839,0:17:07.319
theory is extremely important and

0:17:07.319,0:17:10.599
relevant when we do forensic

0:17:10.599,0:17:13.400
investigations--digital forensics. The same

0:17:13.400,0:17:15.599
happens with medical doctors. When

0:17:15.599,0:17:18.119
medical doctors do a forensic

0:17:18.119,0:17:20.480
analysis of a body of someone who

0:17:20.480,0:17:23.480
passed away, they also employ a lot of

0:17:23.480,0:17:25.400
theoretical knowledge they have been

0:17:25.400,0:17:27.959
accumulating. Digital forensics is no

0:17:27.959,0:17:28.877
different.

0:17:29.120,0:17:32.400
The other consideration is expert

0:17:32.400,0:17:35.120
testimony. Okay? I, for example, live

0:17:35.120,0:17:38.720
in Miami, Florida, in the USA, and I am one of the

0:17:38.720,0:17:43.080
11 experts certified by the legal system

0:17:43.080,0:17:47.799
in the 11 districts. This means that when you

0:17:47.799,0:17:49.880
go to court, you have to be

0:17:49.880,0:17:53.360
classified as an expert in order to

0:17:53.360,0:17:57.600
provide comments and evidence. Otherwise, you will

0:17:57.600,0:18:03.242
probably not be able to speak in court,

0:18:03.242,0:18:04.400
as what we say

0:18:04.400,0:18:07.039
in court is relevant for the case.

0:18:07.039,0:18:10.039
And with our wording or statement,

0:18:10.039,0:18:12.720
along with the evidence we provide, we have

0:18:12.720,0:18:15.799
the ability to put somebody in jail or

0:18:15.799,0:18:18.919
release this person from jail.

0:18:18.919,0:18:23.320
So, this is extremely important. Okay? So,

0:18:23.320,0:18:25.559
evidence storage is one of the most

0:18:25.559,0:18:27.960
important components. Your opponent in

0:18:27.960,0:18:31.120
court or in your company will try

0:18:31.120,0:18:33.679
their best to challenge what you

0:18:33.679,0:18:36.360
are presenting. So, you have to safely

0:18:36.360,0:18:38.840
store and protect evidence to maintain

0:18:38.840,0:18:42.080
its integrity. Integrity is the most

0:18:42.080,0:18:44.880
important characteristic or

0:18:44.880,0:18:47.840
consideration in digital forensics--

0:18:47.840,0:18:51.720
without any other factor coming close. So, integrity

0:18:51.720,0:18:55.360
is everything in digital forensics. Okay?

0:18:55.360,0:18:57.880
Data encryption: There are multiple cases

0:18:57.880,0:19:00.480
in which you will do digital

0:19:00.480,0:19:04.400
forensics on encrypted storage devices,

0:19:04.400,0:19:06.919
encrypted data, or encrypted

0:19:06.919,0:19:11.159
applications. You need to develop the

0:19:11.159,0:19:13.559
ability to handle encrypted data

0:19:13.559,0:19:16.640
and understand the encryption methods.

0:19:16.640,0:19:18.679
Among the publications I have, I have

0:19:18.679,0:19:21.679
over 25 publications on different

0:19:21.679,0:19:25.200
topics and concepts within security. A

0:19:25.200,0:19:28.360
few of them, probably five or six, are

0:19:28.360,0:19:31.400
specifically about encryption. If we want

0:19:31.400,0:19:35.320
to do digital forensics, we must become

0:19:35.320,0:19:38.679
data encryption experts. There is no other

0:19:38.679,0:19:41.400
way. I understand that many people

0:19:41.400,0:19:45.720
don’t like math, statistics, physics, etc.,

0:19:45.720,0:19:47.760
but this is a requirement for doing an

0:19:47.760,0:19:50.320
appropriate digital forensic assessment.

0:19:50.320,0:19:53.760
It’s a necessity today. Okay? The other

0:19:53.760,0:19:56.320
consideration, and this is for the people

0:19:56.320,0:19:58.520
who love technology like me attending

0:19:58.520,0:20:01.679
or watching this conference, is network. I

0:20:01.679,0:20:04.480
am a big fan of networks. I have been

0:20:04.480,0:20:07.559
working in networking for 41 years.

0:20:07.559,0:20:09.720
My doctoral degree is in

0:20:09.720,0:20:12.919
telecommunications and cybersecurity. So,

0:20:12.919,0:20:16.880
networking is in my DNA. I love networking more than

0:20:16.880,0:20:20.240
any other topic in information

0:20:20.240,0:20:23.120
technology. Network analysis is the

0:20:23.120,0:20:25.480
ability to analyze network

0:20:25.480,0:20:28.760
traffic logs and data to trace digital

0:20:28.760,0:20:30.760
footprints. I’m pretty sure

0:20:30.760,0:20:34.320
everyone has a tool of mine, and, of course,

0:20:34.320,0:20:37.760
this tool is most likely part of the

0:20:37.760,0:20:39.960
tools I’m going to

0:20:39.960,0:20:42.280
provide in the last slide for you.

0:20:42.280,0:20:44.600
But network analysis today, from a

0:20:44.600,0:20:46.919
digital forensics standpoint, is

0:20:46.919,0:20:49.919
everything. Everything is network-related in

0:20:49.919,0:20:53.280
one or another way. Malware analysis: We

0:20:53.280,0:20:55.640
need to develop the ability to

0:20:55.640,0:20:58.679
understand malware behavior and analysis

0:20:58.679,0:21:02.960
and how those malwares impact systems.

0:21:02.960,0:21:05.080
This needs to be incorporated as part of

0:21:05.080,0:21:07.720
the cybersecurity analysis when

0:21:07.720,0:21:10.840
performing digital forensics today. Cloud

0:21:10.840,0:21:13.600
forensics: I don’t have to highlight how

0:21:13.600,0:21:17.240
important cloud operations are. Okay? We are

0:21:17.240,0:21:19.720
moving operations to the cloud, and

0:21:19.720,0:21:21.640
for those still

0:21:21.640,0:21:24.679
running operations on-premises, there is

0:21:24.679,0:21:27.039
a high expectation that sooner rather than

0:21:27.039,0:21:29.320
later, you will move operations to the cloud for

0:21:29.320,0:21:31.400
multiple conveniences. However, the

0:21:31.400,0:21:33.400
configuration at this point does not fully

0:21:33.400,0:21:36.799
benefit all aspects of the cloud. From

0:21:36.799,0:21:39.559
a forensic standpoint, when you do

0:21:39.559,0:21:42.039
cloud forensics, the situation is a little

0:21:42.039,0:21:45.080
different from

0:21:45.080,0:21:48.279
on-premises investigations. So, you have to

0:21:48.279,0:21:50.640
adapt methodologies for investigating

0:21:50.640,0:21:53.279
data in the cloud, regardless of the

0:21:53.279,0:21:56.039
cloud provider. Here, as a matter, you can see

0:21:56.039,0:22:00.200
AWS, Google, Azure, or anyone else.

0:22:00.200,0:22:02.760
The operation in the cloud is somehow

0:22:02.760,0:22:04.679
different from a digital forensics

0:22:04.679,0:22:07.320
standpoint, starting with how you

0:22:07.320,0:22:08.480
access the data.

0:22:08.480,0:22:12.720
Remote forensics: Remote forensics is the opportunity

0:22:12.720,0:22:16.080
to develop skills for collecting and

0:22:16.080,0:22:19.240
analyzing data from a remote location.

0:22:19.240,0:22:22.000
This is happening more frequently now as

0:22:22.000,0:22:26.000
we become more telework-dependent.

0:22:26.000,0:22:28.960
In multiple cases--my own company, for example, knowing my

0:22:28.960,0:22:31.240
job with the government, but owning my own

0:22:31.240,0:22:33.520
company--I have been doing more remote digital forensics in the last

0:22:33.520,0:22:36.080
two, three years, probably two years.

0:22:38.070,0:22:39.760
Digital forensics that

0:22:39.760,0:22:41.960
than probably ever before in my life. So, this

0:22:41.960,0:22:44.799
is an important skill to develop as well.

0:22:44.799,0:22:47.679
Case management: This is how we use

0:22:47.679,0:22:49.760
digital forensics case management to

0:22:49.760,0:22:52.880
organize and track investigations. I mentioned to

0:22:52.880,0:22:55.840
you that I go to court very often--more

0:22:55.840,0:23:00.039
often than I want, very, very often.

0:23:00.039,0:23:04.279
Okay. And they scrutinize every

0:23:04.279,0:23:06.480
single protocol you present, every single

0:23:06.480,0:23:08.880
artifact, every single document, and the

0:23:08.880,0:23:11.320
specific chronological order. This is a

0:23:11.320,0:23:14.600
complex process. It’s not just collecting

0:23:14.600,0:23:17.760
the data, performing the digital forensics

0:23:17.760,0:23:20.000
analysis, and going to court to testify.

0:23:20.000,0:23:22.960
Okay? The process is much more

0:23:22.960,0:23:25.200
complex than this.

0:23:25.200,0:23:27.400
Collaboration: Collaborate with other

0:23:27.400,0:23:29.240
experts and there's one in the middle

0:23:29.240,0:23:31.520
that I'm going to highlight in a few.

0:23:31.520,0:23:34.080
Collaborate with other experts, law

0:23:34.080,0:23:37.039
enforcement, or organizations for complex

0:23:37.039,0:23:40.120
cases. Cases are different from one another.

0:23:40.120,0:23:41.880
Of course, this is okay, and I know you

0:23:41.880,0:23:44.880
know that. Okay? But you have some cases

0:23:44.880,0:23:47.080
sometimes in which the forensic analysis

0:23:47.080,0:23:50.279
becomes very complex. In those particular

0:23:50.279,0:23:53.120
cases, my advice is to collaborate with

0:23:53.120,0:23:55.720
others. Okay? You do better when you work

0:23:55.720,0:23:58.400
as part of a team and not when you work

0:23:58.400,0:24:01.159
independently. I’ll skip the data

0:24:01.159,0:24:04.120
privacy compliance for a minute because

0:24:04.120,0:24:07.520
this is relevant. Every single state,

0:24:07.520,0:24:09.400
every single... No

0:24:09.400,0:24:14.000
exception. A state court operates on the

0:24:14.000,0:24:16.440
different requirements. So, you want to

0:24:16.440,0:24:19.320
make sure that you follow the privacy

0:24:19.320,0:24:22.799
regulations in your specific place. Okay?

0:24:22.799,0:24:24.600
And by the way, I'm going to ask you a

0:24:24.600,0:24:27.480
question. I'm not expecting any response.

0:24:27.480,0:24:30.440
But the question is: by any chance, do you

0:24:30.440,0:24:33.399
know the specific digital forensic

0:24:33.399,0:24:36.360
regulations in the place you live? Ask

0:24:36.360,0:24:38.919
yourself this question, and probably some

0:24:38.919,0:24:42.320
of you are going to respond "no." This is a

0:24:42.320,0:24:45.279
critical thing. Continuous learning: You

0:24:45.279,0:24:48.319
need to keep asking about what we do. Okay?

0:24:48.319,0:24:51.799
Cybersecurity is an specialization of IT. From

0:24:51.799,0:24:54.520
my point of view, it's the most fascinating

0:24:54.520,0:24:57.320
topic in the world. This is

0:24:57.320,0:25:00.279
the only topic I can talk about

0:25:00.279,0:25:04.399
for 25 hours without drinking water.

0:25:04.399,0:25:07.640
This is my life. I dedicate multiple

0:25:07.640,0:25:10.360
hours every single day, seven days a week,

0:25:10.360,0:25:13.039
even when it creates some personal

0:25:13.039,0:25:15.960
problems with my family, etc. This is in

0:25:15.960,0:25:19.960
my DNA. I encourage each of you, if you

0:25:19.960,0:25:23.679
are not doing so, to dedicate your life to

0:25:23.679,0:25:27.120
become a digital forensics expert. Digital

0:25:27.120,0:25:30.320
forensic is one of the most fascinating

0:25:30.320,0:25:33.120
topics in the planet. Okay. And you want

0:25:33.120,0:25:36.559
to be attentive to these type of things.

0:25:36.559,0:25:38.520
Report and presentation: When you go to

0:25:38.520,0:25:41.360
the court or when you present your

0:25:41.360,0:25:44.080
outcomes of all the digital forensic

0:25:44.080,0:25:46.600
outcomes to your organization, you want

0:25:46.600,0:25:48.360
to make sure that you use clear

0:25:48.360,0:25:52.320
language, you are concise, and you are

0:25:52.320,0:25:54.559
ready for the presentation questions and

0:25:54.559,0:25:56.679
answers. You never want to go to the

0:25:56.679,0:25:59.000
court unprepared. Okay? Never in your

0:25:59.000,0:26:00.880
life. This is not appropriate because, at

0:26:00.880,0:26:04.440
the end your assessment, you have the

0:26:04.440,0:26:07.520
possibility to put somebody in jail or

0:26:07.520,0:26:09.080
somebody will be fired from the

0:26:09.080,0:26:12.320
organization or not. So what we said is

0:26:12.320,0:26:16.200
relevant. Our wording has a huge impact

0:26:16.200,0:26:18.960
in other people's lives. It's important

0:26:18.960,0:26:21.399
to be attentive to that. One of the most

0:26:21.399,0:26:24.720
relevant topic that I have been using in

0:26:24.720,0:26:27.679
my practice is the use of artificial

0:26:27.679,0:26:30.760
intelligence in digital forensic. Since

0:26:30.760,0:26:35.919
2017, this is not a topic that is well

0:26:35.919,0:26:39.480
known. At this point, the reason why I

0:26:39.480,0:26:41.919
really want to share my experience--

0:26:41.919,0:26:44.919
practical experience with you guys,

0:26:44.919,0:26:47.919
digital evidence analysis, how artificial

0:26:47.919,0:26:51.720
intelligence can help us. Well, everybody

0:26:51.720,0:26:55.320
knows that we have multiple applications

0:26:55.320,0:26:58.399
that we can use in order to analyze

0:26:58.399,0:27:00.480
the different kind of media that can be

0:27:00.480,0:27:03.440
generated. For example, text, image, and

0:27:03.440,0:27:06.279
videos, artificial intelligence studies

0:27:06.279,0:27:09.159
have the ability to detect and flag

0:27:09.159,0:27:11.320
potential relevant content for

0:27:11.320,0:27:13.399
investigations, especially from the

0:27:13.399,0:27:17.000
timing standpoint. Digital forensic is

0:27:17.000,0:27:19.919
extremely time consuming, very, very

0:27:19.919,0:27:23.200
time consuming and complex. This is

0:27:23.200,0:27:27.000
probably along with data recovery the

0:27:27.000,0:27:29.260
most complex specialization in

0:27:29.260,0:27:32.760
cybersecurity. So the use of artificial

0:27:32.760,0:27:35.679
intelligence, in our favor, is very

0:27:35.679,0:27:38.159
convenient. And at the end, I'm going to

0:27:38.159,0:27:40.720
include as well or actually I included

0:27:40.720,0:27:44.039
in the list a particular artificial

0:27:44.039,0:27:45.919
intelligence tool that you can use in

0:27:45.919,0:27:49.159
your favor. The other use of artificial

0:27:49.159,0:27:51.600
intelligence is pattern

0:27:51.600,0:27:54.159
recognition. Artificial intelligence can

0:27:54.159,0:27:56.960
identify patterns in data, helping

0:27:56.960,0:27:59.720
investigators recognize anomalies or

0:27:59.720,0:28:02.720
correlations in digital artifacts that

0:28:02.720,0:28:05.720
may indicate criminal activity.

0:28:05.720,0:28:07.640
Out of the whole sentence, the most

0:28:07.640,0:28:12.000
important question is: "What is the key word?" The key word,

0:28:12.000,0:28:15.080
correlation. How do we correlate data by

0:28:15.080,0:28:17.039
using artificial intelligence? The

0:28:17.039,0:28:19.399
process is going to be simplified

0:28:19.399,0:28:22.000
dramatically. Speaking based on my

0:28:22.000,0:28:25.080
personal experience, the other component is

0:28:25.080,0:28:28.240
NLP. This can be used to analyze

0:28:28.240,0:28:31.440
text-based evidence, including logs

0:28:31.440,0:28:33.919
and emails, to uncover communication

0:28:33.919,0:28:37.039
patterns or hidden minutes. A lot of

0:28:37.039,0:28:39.679
evidence that we collect, about

0:28:39.679,0:28:43.760
65%, is included in emails, chats,

0:28:43.760,0:28:48.080
documents, etc., so this is when NLP plays

0:28:48.080,0:28:49.960
a predominant role in artificial

0:28:49.960,0:28:52.120
intelligence in the digital forensic

0:28:52.120,0:28:55.399
analysis for image and video analysis. It provides

0:28:55.399,0:28:58.159
incredible benefits. Okay? You have the

0:28:58.159,0:29:00.039
ability to analyze multimedia

0:29:00.039,0:29:02.559
content to identify objects, people, and

0:29:02.559,0:29:05.000
potentially illegal or

0:29:05.000,0:29:08.320
sensitive content. I’m sure a word

0:29:08.320,0:29:11.200
is coming to your mind right now, steganography.

0:29:11.200,0:29:14.000
Yes, this is part of steganography, but it's

0:29:14.000,0:29:18.480
not similar to doing steganography by using a

0:29:18.480,0:29:20.440
particular application. When you

0:29:20.440,0:29:23.159
employ artificial intelligence tools

0:29:23.159,0:29:25.279
that are dedicated exclusively to

0:29:25.279,0:29:28.360
digital forensics, the benefit is really

0:29:28.360,0:29:31.080
awesome. Predictive analysis: Machine

0:29:31.080,0:29:33.720
learning models can predict potential

0:29:33.720,0:29:37.120
areas of interest in an investigation,

0:29:37.120,0:29:39.559
guiding forensic experts to focus on

0:29:39.559,0:29:42.039
critical evidence. Imagine that you are

0:29:42.039,0:29:45.279
analyzing a hard drive that is one

0:29:45.279,0:29:49.039
terabyte holds a lot of

0:29:49.039,0:29:52.600
documents, videos, pictures, sounds, etc. You

0:29:52.600,0:29:55.080
know that, right? If you are

0:29:55.080,0:29:56.960
attending this conference, it’s because you

0:29:56.960,0:29:59.360
are very familiar with information

0:29:59.360,0:30:02.880
technology, cybersecurity, and digital forensics.

0:30:02.880,0:30:06.640
Well, how do you find the specific data you

0:30:06.640,0:30:09.480
need to prove something in a court of

0:30:09.480,0:30:12.360
law? You have to be very careful

0:30:12.360,0:30:14.519
about the pieces of data you pick for

0:30:14.519,0:30:17.760
the analysis, otherwise, your

0:30:17.760,0:30:20.080
assessment is not appropriate. And again,

0:30:20.080,0:30:23.000
every single word we say in a court

0:30:23.000,0:30:26.159
of law or in the organization we

0:30:26.159,0:30:29.720
are working for is relevant. It implies

0:30:29.720,0:30:31.799
that probably somebody will be in jail

0:30:31.799,0:30:35.080
for 30 years, or probably somebody, if we’re

0:30:35.080,0:30:38.440
talking about a huge crime like an

0:30:38.440,0:30:41.559
assassination or child pornography abuse,

0:30:41.559,0:30:45.320
will face consequences like death. Our

0:30:45.320,0:30:48.600
assessment is critical. Okay? We become

0:30:48.600,0:30:51.720
the main players when

0:30:51.720,0:30:53.880
digital forensics is involved. We have to

0:30:53.880,0:30:56.240
be very careful about the way we do it.

0:30:56.240,0:30:59.480
This is not a joke; it's very serious. Okay?

0:30:59.480,0:31:01.480
Predictive analysis, machine learning

0:31:01.480,0:31:03.600
models, or artificial intelligence are

0:31:03.600,0:31:06.320
pretty close in this concept and can predict

0:31:06.320,0:31:08.480
potential areas of interest in an

0:31:08.480,0:31:11.240
investigation. But we also talk about

0:31:11.240,0:31:12.880
detection. Artificial intelligence

0:31:12.880,0:31:15.720
driving security tools can identify

0:31:15.720,0:31:17.960
cyber threats and potential cybercrime

0:31:17.960,0:31:21.299
activities, helping law enforcement and cybersecurity

0:31:21.299,0:31:23.600
teams respond effectively and

0:31:23.600,0:31:27.240
proactively. More importantly, the

0:31:27.240,0:31:30.039
majority of us have multiple tools that

0:31:30.039,0:31:31.440
we call proactive

0:31:31.440,0:31:34.519
in our place of work. Okay? We

0:31:34.519,0:31:37.600
have different kinds of monitors, etc. But

0:31:37.600,0:31:39.840
the possibility to do something in a

0:31:39.840,0:31:43.399
proactive mode is really what we want.

0:31:43.399,0:31:45.639
Evidence authentication: Artificial

0:31:45.639,0:31:47.120
intelligence can assist in the

0:31:47.120,0:31:49.360
authentication of digital evidence,

0:31:49.360,0:31:51.440
ensuring its integrity and the

0:31:51.440,0:31:54.200
possibility of this data being admitted

0:31:54.200,0:31:57.399
in court. Data recovery: Artificial

0:31:57.399,0:32:00.440
intelligence helps with the recovery of

0:32:00.440,0:32:02.279
data that has been deleted

0:32:02.279,0:32:05.320
intentionally or unintentionally. It

0:32:05.320,0:32:07.399
doesn't matter. When we do digital

0:32:07.399,0:32:10.919
forensics, we want to have as much data as

0:32:10.919,0:32:14.880
we can to make a case

0:32:14.880,0:32:17.600
against a particular party. From the

0:32:17.600,0:32:20.200
malware analysis standpoint,

0:32:20.200,0:32:23.240
artificial intelligence brings a lot of

0:32:23.240,0:32:25.960
speed, and this is needed because, again,

0:32:25.960,0:32:29.240
you are looking for a needle in a ton of

0:32:29.240,0:32:33.039
water or in a ton of sand, and this

0:32:33.039,0:32:35.639
is very complex. From the network

0:32:35.639,0:32:37.880
forensic standpoint, we are accustomed to

0:32:37.880,0:32:40.720
using tools such as Wireshark, which everybody

0:32:40.720,0:32:44.480
knows, well, anyway,

0:32:44.480,0:32:46.559
there are now specific artificial

0:32:46.559,0:32:49.200
intelligence tools for network forensic

0:32:49.200,0:32:53.240
analysis. I have included two of

0:32:53.240,0:32:56.039
those tools in the list on the last

0:32:56.039,0:32:59.440
slide. Automated trace: This is one of the

0:32:59.440,0:33:01.559
most important considerations for you to

0:33:01.559,0:33:04.000
consider with artificial intelligence in

0:33:04.000,0:33:08.120
digital forensics. Speed is key. It’s basically

0:33:08.120,0:33:11.039
the ability to do

0:33:11.039,0:33:15.960
correlation between large data sets. Case

0:33:15.960,0:33:18.399
priority: Artificial intelligence can

0:33:18.399,0:33:20.480
assist investigators in

0:33:20.480,0:33:23.519
prioritizing cases based on factors like

0:33:23.519,0:33:25.960
severity, potential impact, or resource

0:33:25.960,0:33:29.200
allocation, meaning timing.

0:33:29.200,0:33:31.919
Predictive policing: This is super important

0:33:31.919,0:33:35.039
because, until today, digital forensics has

0:33:35.039,0:33:38.399
always been reactive. We react to

0:33:38.399,0:33:40.840
something that happened. The possibility to

0:33:40.840,0:33:44.120
make predictions in digital forensics is

0:33:44.120,0:33:46.519
fantastic. It has never happened before.

0:33:46.519,0:33:49.240
This is new, at least for me. I started

0:33:49.240,0:33:51.600
using artificial intelligence back in my own

0:33:51.600,0:33:54.919
company in 2017, and I have been able to

0:33:54.919,0:33:55.960
that in

0:33:55.960,0:33:59.399
multiple cases for the police department

0:33:59.399,0:34:02.600
in Miami and in other two cities in

0:34:02.600,0:34:06.639
Florida: Tampa and St. Petersburg. The

0:34:06.639,0:34:09.239
results have been amazing. Document

0:34:09.239,0:34:12.280
analysis: You know that NLP can extract

0:34:12.280,0:34:14.800
information from documents and analyze

0:34:14.800,0:34:17.119
sexual content for investigations.

0:34:17.119,0:34:19.079
Artificial intelligence dramatically minimizes

0:34:19.079,0:34:21.440
the time needed for that.

0:34:21.440,0:34:24.639
Emotional recognition: Everybody

0:34:24.639,0:34:27.760
knows what happened with the DSP

0:34:27.760,0:34:31.560
algorithms. Okay? So we can use artificial

0:34:31.560,0:34:33.918
intelligence to analyze videos,

0:34:33.918,0:34:38.040
which is awesome because our eyes, our

0:34:38.040,0:34:40.239
muscles in our eyes, don't have the

0:34:40.239,0:34:43.399
ability to lie. We can lie when we speak,

0:34:43.399,0:34:46.079
or we can try, but our eyes’ reactions

0:34:46.079,0:34:49.119
to a particular stimulus cannot be hidden

0:34:49.119,0:34:51.960
or cannot be modified. So this is unique.

0:34:51.960,0:34:54.480
From the data privacy and compliance standpoint, you

0:34:54.480,0:34:57.119
also have the ability to

0:34:57.119,0:35:02.680
automate the specific data you want to

0:35:02.680,0:35:06.800
include as part of your report. Okay? Now,

0:35:06.800,0:35:09.280
digital forensic data acquisition steps:

0:35:09.280,0:35:12.400
From my standpoint, after 41 years of experience,

0:35:12.400,0:35:15.480
preservation--we already talked about this.

0:35:15.480,0:35:18.160
Documentation: Preservation is integrity.

0:35:18.160,0:35:21.320
Okay? This is the most important

0:35:21.320,0:35:24.119
consideration, categorically speaking, in

0:35:24.119,0:35:25.880
any kind of digital forensic

0:35:25.880,0:35:28.400
investigation. You have to preserve the

0:35:28.400,0:35:31.320
data as it is. And remember, you never use

0:35:31.320,0:35:33.119
the original data for your forensic

0:35:33.119,0:35:36.520
analysis—-never. You always use a copy. And

0:35:36.520,0:35:40.469
to do copies, you have to use bit-by-bit

0:35:40.469,0:35:43.320
applications. Bit-by-bit—you cannot

0:35:43.320,0:35:46.800
copy bytes, or you cannot copy data

0:35:46.800,0:35:49.160
and forget about the information. So,

0:35:49.160,0:35:52.359
preservation is the most important thing.

0:35:52.359,0:35:54.520
Documentation: We already know that

0:35:54.520,0:35:56.960
everything needs to be documented, okay?

0:35:56.960,0:35:59.960
From the crime scene to the

0:35:59.960,0:36:02.599
last point. Chain of custody: One more

0:36:02.599,0:36:04.640
time, and I guess I’m going to

0:36:04.640,0:36:07.119
mention this one more time because chain

0:36:07.119,0:36:10.280
of custody means or opens the door for

0:36:10.280,0:36:13.079
you to present a case in the court of

0:36:13.079,0:36:17.400
law or to prove, in

0:36:17.400,0:36:20.040
your organization, that what you

0:36:20.040,0:36:22.520
are presenting is appropriate. You have

0:36:22.520,0:36:25.839
to plan how you are going to collect the

0:36:25.839,0:36:29.160
data. you have to plan with anticipation

0:36:29.160,0:36:31.640
the specific tools you are going to use

0:36:31.640,0:36:34.760
what methods are you going to consider

0:36:34.760,0:36:37.200
in your data collection process this is

0:36:37.200,0:36:40.079
relevant and you always have to consider

0:36:40.079,0:36:44.040
the coms coms is probably more important

0:36:44.040,0:36:47.520
than PR when you select or decided to

0:36:47.520,0:36:51.119
use a particular application for the

0:36:51.119,0:36:54.160
data acquisition you always want to

0:36:54.160,0:36:57.359
focus on the negative people usually

0:36:57.359,0:36:59.680
tends to talk about the positive oh I

0:36:59.680,0:37:02.079
like why the Shar because this and that

0:37:02.079,0:37:03.560
it's better that you focus on the

0:37:03.560,0:37:06.880
negative in Information Technology

0:37:06.880,0:37:09.599
everything has cross and comes no

0:37:09.599,0:37:13.240
exceptions exceptions do not exist there

0:37:13.240,0:37:16.839
is not one exception everything positive

0:37:16.839,0:37:18.760
have something negative in information

0:37:18.760,0:37:20.880
technology and this is what you want to

0:37:20.880,0:37:24.599
focus on it to avoid problems at the end

0:37:24.599,0:37:27.800
Okay so

0:37:27.800,0:37:29.800
how about the verification process you

0:37:29.800,0:37:33.800
have to verify before you work with the

0:37:33.800,0:37:36.640
real data that the tools and methods you

0:37:36.640,0:37:39.960
selected work okay you never want to

0:37:39.960,0:37:42.560
mess up with the original data needed

0:37:42.560,0:37:45.359
with a copy you want to test in a test

0:37:45.359,0:37:48.359
environment your tools your methods your

0:37:48.359,0:37:50.400
approach the steps you are going to

0:37:50.400,0:37:53.440
follow is very time consuming it is but

0:37:53.440,0:37:56.960
by the way it's also very well paid is

0:37:56.960,0:37:58.920
very well paid the only thing I can tell

0:37:58.920,0:38:00.880
you that it's very well paid you have no

0:38:00.880,0:38:04.359
idea if you become a cyber security

0:38:04.359,0:38:07.200
expert and specialize in digital

0:38:07.200,0:38:10.680
forensic this is where the money is and

0:38:10.680,0:38:13.240
trust me this is where the money is okay

0:38:13.240,0:38:17.599
I'm telling you first person duplication

0:38:17.599,0:38:21.000
we talk about that already the only way

0:38:21.000,0:38:23.960
to do that is by creating bit forbit

0:38:23.960,0:38:27.119
image there is no other ways okay this

0:38:27.119,0:38:29.920
is why you you want to use PR blocking

0:38:29.920,0:38:31.920
devices software and Hardware I

0:38:31.920,0:38:34.560
mentioned that before Tex rooms and

0:38:34.560,0:38:37.040
hatching different concepts that some

0:38:37.040,0:38:40.160
people are still confusing about it okay

0:38:40.160,0:38:42.040
there is a huge difference between the

0:38:42.040,0:38:46.040
two the main one is that Asing is a

0:38:46.040,0:38:49.760
oneway function you go from the left to

0:38:49.760,0:38:51.920
the right and usually you don't have the

0:38:51.920,0:38:53.720
ability to come back to replicate the

0:38:53.720,0:38:56.839
process of course if you have the

0:38:56.839,0:38:59.280
algorithms on hand then you can do

0:38:59.280,0:39:02.040
reverse engineering this is obvious but

0:39:02.040,0:39:04.319
this is not what happen in regular

0:39:04.319,0:39:06.920
conditions okay so check zoom and

0:39:06.920,0:39:10.319
hatching both minimize the possibility

0:39:10.319,0:39:13.200
that you mistake in your digital

0:39:13.200,0:39:15.640
forensic ER

0:39:15.640,0:39:18.240
analysis the other component is

0:39:18.240,0:39:21.599
acquisition okay so how are you going to

0:39:21.599,0:39:23.599
collect the data what particular tools

0:39:23.599,0:39:26.040
are you going to use you always have to

0:39:26.040,0:39:29.359
maintain a strict R only access to the

0:39:29.359,0:39:31.560
source if you have the ability to

0:39:31.560,0:39:34.640
manipulate the data in the source you

0:39:34.640,0:39:37.640
have the ability to tamper with actually

0:39:37.640,0:39:39.680
the most important consideration out of

0:39:39.680,0:39:43.680
the CIA which is integrity if the

0:39:43.680,0:39:46.920
opponent is the opposite part to you in

0:39:46.920,0:39:49.560
your organization the defendant in other

0:39:49.560,0:39:53.520
words have the ability to prove that

0:39:53.520,0:39:56.880
the the original data or source can be

0:39:56.880,0:39:58.960
manipulated in any way the conversation

0:39:58.960,0:40:01.920
is 100% over and the case will be

0:40:01.920,0:40:04.319
dismissed categorically speaking it's no

0:40:04.319,0:40:07.839
more conversation so this is a humongous

0:40:07.839,0:40:10.440
responsibility when it comes to data

0:40:10.440,0:40:12.920
acquisition what protocols you use what

0:40:12.920,0:40:14.800
the specific tools how do you plan it

0:40:14.800,0:40:17.040
how you document is a very painful

0:40:17.040,0:40:21.319
process in other words okay now data

0:40:21.319,0:40:24.480
recovery we already talk about the

0:40:24.480,0:40:27.400
complexity of finding a needle in a tone

0:40:27.400,0:40:30.440
of s this is super complex okay but it's

0:40:30.440,0:40:34.079
doable the only thing you have to use is

0:40:34.079,0:40:36.000
the appropriate tools and you you need

0:40:36.000,0:40:38.440
to have a specific plan because every

0:40:38.440,0:40:41.960
single case is 100% different digital

0:40:41.960,0:40:44.800
signatures sign the acquire data in

0:40:44.800,0:40:48.400
hatches with a dig digital signature for

0:40:48.400,0:40:50.440
authentication there are multiple cases

0:40:50.440,0:40:53.960
today in which H signatures are not

0:40:53.960,0:40:56.960
accepted anymore in the go government I

0:40:56.960,0:40:58.800
am a Federal Officer for the US

0:40:58.800,0:41:01.920
Department of Commerce in USA in the

0:41:01.920,0:41:04.560
government we are not allowed to sign

0:41:04.560,0:41:07.680
anything by hand for many years back

0:41:07.680,0:41:11.599
many years okay digital signatures have

0:41:11.599,0:41:15.720
a specific component that minimize

0:41:15.720,0:41:18.240
dramatically speaking the possibility of

0:41:18.240,0:41:20.720
replication and this is why this is

0:41:20.720,0:41:23.359
accepted in the court of law

0:41:23.359,0:41:26.000
verification R verifies the Integrity of

0:41:26.000,0:41:29.440
that Qui image by comparing hash values

0:41:29.440,0:41:32.240
with those calculated before the hash

0:41:32.240,0:41:36.280
values must be exact no difference not

0:41:36.280,0:41:39.079
even in one

0:41:39.079,0:41:43.280
0.001 percentage most much 100%

0:41:43.280,0:41:46.520
categorically speaking otherwise the

0:41:46.520,0:41:49.119
court is going to dismiss the case as

0:41:49.119,0:41:52.240
well or the organization probably is not

0:41:52.240,0:41:55.119
going to take the appropriate action vus

0:41:55.119,0:41:59.119
in a particular individual or problem or

0:41:59.119,0:42:03.079
process okay LS and no we already talk

0:42:03.079,0:42:05.560
about documentation at the beginning you

0:42:05.560,0:42:09.280
have to actually make sure that

0:42:09.280,0:42:12.240
everything is timestamped as I mentioned

0:42:12.240,0:42:15.040
before at the beginning digital forensic

0:42:15.040,0:42:18.440
must be collected in a particular order

0:42:18.440,0:42:21.400
analyzed in the similar Manner and

0:42:21.400,0:42:24.599
presented in the report in the specific

0:42:24.599,0:42:28.040
order in which the process was done

0:42:28.040,0:42:31.160
otherwise the process is going to be

0:42:31.160,0:42:33.720
disqualified and this is exclusively at

0:42:33.720,0:42:36.880
this point our own responsibility and

0:42:36.880,0:42:41.520
nobody else okay the storage we already

0:42:41.520,0:42:44.880
know that gain of custody is one of the

0:42:44.880,0:42:46.520
most important component there are

0:42:46.520,0:42:49.160
multiple forms depending of the state in

0:42:49.160,0:42:51.960
which you live and the countries as well

0:42:51.960,0:42:54.680
that you have to follow anything if you

0:42:54.680,0:42:57.559
miss a check mark or if you put a check

0:42:57.559,0:43:00.400
mark on those particular forms you are

0:43:00.400,0:43:04.079
basically dismissing you the case you

0:43:04.079,0:43:06.720
intentionally the court doesn't work in

0:43:06.720,0:43:10.040
the way many of us believe okay we have

0:43:10.040,0:43:12.280
the possibility to put somebody in the

0:43:12.280,0:43:16.359
electric share or to release to provide

0:43:16.359,0:43:18.520
to this particular individual or

0:43:18.520,0:43:21.880
organization what we said is relevant

0:43:21.880,0:43:24.400
okay this is very important the brift

0:43:24.400,0:43:26.119
you always have to be in Comm

0:43:26.119,0:43:29.640
communication with all parties both the

0:43:29.640,0:43:32.359
one presenting the digital process or

0:43:32.359,0:43:35.359
ruling the process and the other part as

0:43:35.359,0:43:39.520
well you cannot hide anything Zero from

0:43:39.520,0:43:41.880
your opponents in the court of law or

0:43:41.880,0:43:44.720
for the defendant part never in your

0:43:44.720,0:43:47.559
life this is why the first bullet in the

0:43:47.559,0:43:50.040
whole presentation was as you may

0:43:50.040,0:43:54.079
remember ethics okay in digital forensic

0:43:54.079,0:43:57.480
we provide what we known to the other

0:43:57.480,0:44:00.440
parties as well even to the defendant to

0:44:00.440,0:44:03.119
the opponents every single time no

0:44:03.119,0:44:06.520
exception and we provide every single

0:44:06.520,0:44:09.559
artifact with the most clear possible

0:44:09.559,0:44:12.480
explanation to the opponents this is how

0:44:12.480,0:44:14.880
the digital forensic process work

0:44:14.880,0:44:17.720
otherwise it will be dismissed as well

0:44:17.720,0:44:20.839
in the court steing you have to make

0:44:20.839,0:44:24.160
sure that every single piece of digital

0:44:24.160,0:44:27.000
evidence is

0:44:27.000,0:44:30.520
properly still then that you follow the

0:44:30.520,0:44:32.720
process by the book again if you Skip

0:44:32.720,0:44:36.640
One Step just one out of 100 or 200s

0:44:36.640,0:44:39.520
depending of the case the case is going

0:44:39.520,0:44:42.720
to be this measure no exceptions the Cod

0:44:42.720,0:44:46.319
goes by the book as you can imagine and

0:44:46.319,0:44:48.000
your opponent is going to be very

0:44:48.000,0:44:50.200
attentive to to the minimum possible

0:44:50.200,0:44:53.839
failure to dismiss the case okay so how

0:44:53.839,0:44:56.200
you transport the data from one place to

0:44:56.200,0:44:59.240
the other place chain of custody this is

0:44:59.240,0:45:02.760
the key component chain of custody data

0:45:02.760,0:45:06.200
encryption you have to make sure that

0:45:06.200,0:45:10.440
you prevent or actually Pro prevent a

0:45:10.440,0:45:13.119
Integrity manipulation and you always

0:45:13.119,0:45:16.319
want to meure the confidentiality of the

0:45:16.319,0:45:19.000
data CIA we already talked about the

0:45:19.000,0:45:21.520
component confidentiality Integrity

0:45:21.520,0:45:23.480
availability from the digital forensic

0:45:23.480,0:45:26.319
standpoint the most important no

0:45:26.319,0:45:29.880
exception is integrity and also the

0:45:29.880,0:45:32.319
confidentiality okay so from the

0:45:32.319,0:45:35.200
recovery image standpoint you always

0:45:35.200,0:45:37.960
want to have a duplicate for validation

0:45:37.960,0:45:40.760
and reanalysis and remember that you

0:45:40.760,0:45:43.559
always want to work with a copy of the

0:45:43.559,0:45:47.920
digital evidence 100% of the time no 9

0:45:47.920,0:45:50.680
you have to preserve the original

0:45:50.680,0:45:52.720
evidence this is part of our

0:45:52.720,0:45:56.480
responsibility and this is why we do bit

0:45:56.480,0:46:00.480
by bit analysis and bit by bit copy it's

0:46:00.480,0:46:04.200
complex okay now a specific step in

0:46:04.200,0:46:06.079
digital forensics to analyze the

0:46:06.079,0:46:08.720
collected data at this point you already

0:46:08.720,0:46:10.880
went through multiple process and spent

0:46:10.880,0:46:14.359
a lot of time how do you analyze the

0:46:14.359,0:46:16.079
data you have because you are going to

0:46:16.079,0:46:19.400
have probably terabytes of data okay

0:46:19.400,0:46:23.680
well you have to make sure that hashing

0:46:23.680,0:46:27.440
and TS digital signatures and the chain

0:46:27.440,0:46:31.480
of custody have been followed data

0:46:31.480,0:46:34.000
priorization what happens and what is

0:46:34.000,0:46:35.880
more relevant you cannot present in the

0:46:35.880,0:46:38.800
court two terabytes of data or 2,000

0:46:38.800,0:46:41.640
Pages this is Irrelevant for the case

0:46:41.640,0:46:44.240
okay you have to make sure that you use

0:46:44.240,0:46:47.240
keywords in order to provide a solid

0:46:47.240,0:46:49.680
report to the court for this particular

0:46:49.680,0:46:52.839
case for the keywords artificial

0:46:52.839,0:46:56.000
intelligence have been proven to me that

0:46:56.000,0:46:59.319
is of huge help file caring you have to

0:46:59.319,0:47:02.119
use a specialized tool to recover files

0:47:02.119,0:47:05.480
that may been deleted or you

0:47:05.480,0:47:08.760
intentionally hiting timeline analysis

0:47:08.760,0:47:11.440
we talk about you have to do everything

0:47:11.440,0:47:13.920
by following a particular sequence of

0:47:13.920,0:47:16.720
activities in other words you have to

0:47:16.720,0:47:18.760
present and do the analysis in

0:47:18.760,0:47:21.280
chronological order in the way that you

0:47:21.280,0:47:23.880
collect the data this is the exact way

0:47:23.880,0:47:26.040
you do the analysis and later you do

0:47:26.040,0:47:28.119
correlation okay but you have to follow

0:47:28.119,0:47:30.760
a particular chronological order data

0:47:30.760,0:47:33.440
recovery you have to do your best to

0:47:33.440,0:47:35.520
reconstruct the data that have been

0:47:35.520,0:47:38.559
deleted or probably damaged even by a

0:47:38.559,0:47:40.880
physical or electronic condition in the

0:47:40.880,0:47:43.680
storage media the metadata analysis is

0:47:43.680,0:47:46.240
also complex okay this is the next

0:47:46.240,0:47:49.240
component after the time the timeline

0:47:49.240,0:47:52.040
analysis metadata includes multiple kind

0:47:52.040,0:47:54.880
of data so this part of the analysis is

0:47:54.880,0:47:57.359
going to be complete colle and more time

0:47:57.359,0:47:59.520
consuming than the data collection and

0:47:59.520,0:48:02.319
the data collection is already very time

0:48:02.319,0:48:04.760
consuming content analysis you have to

0:48:04.760,0:48:06.280
be very careful because this is

0:48:06.280,0:48:08.960
basically what the forensic analysis is

0:48:08.960,0:48:12.240
going to be parent recognition how you

0:48:12.240,0:48:15.800
can match one bit of data with another

0:48:15.800,0:48:19.040
bit okay is there any association

0:48:19.040,0:48:23.359
between bits between bites between data

0:48:23.359,0:48:26.640
between words this is a iCal

0:48:26.640,0:48:29.400
component communication analysis again

0:48:29.400,0:48:31.319
you want to make sure that you include

0:48:31.319,0:48:34.680
everything emails today are probably the

0:48:34.680,0:48:37.760
most relevant component of digital

0:48:37.760,0:48:39.800
forening analysis you wants to make sure

0:48:39.800,0:48:42.839
that you master email analysis as well

0:48:42.839,0:48:45.640
data encryption you always have to keep

0:48:45.640,0:48:48.079
in mind the confidentiality and when we

0:48:48.079,0:48:50.520
are talking about the recovery or the

0:48:50.520,0:48:53.160
recovery image I mentioned that as well

0:48:53.160,0:48:56.040
similar to the chain of custody before

0:48:56.040,0:48:58.160
because you always have to pres the

0:48:58.160,0:49:01.240
digital the original data evidence

0:49:01.240,0:49:03.000
examination you want to make sure that

0:49:03.000,0:49:06.000
you verify the Integrity of the data you

0:49:06.000,0:49:08.799
have been acquiring including hash value

0:49:08.799,0:49:11.440
digital signature and the chain of

0:49:11.440,0:49:14.119
custodies we talk about this already

0:49:14.119,0:49:16.880
this is a repeat of the slide by the way

0:49:16.880,0:49:20.480
okay so database examination and you

0:49:20.480,0:49:23.760
foring a duplicate slide so this slide

0:49:23.760,0:49:27.680
is the same to this okay so my apology

0:49:27.680,0:49:30.680
for that it's my fault data database

0:49:30.680,0:49:33.000
examination investigate databases for

0:49:33.000,0:49:35.480
valueable valuable information including

0:49:35.480,0:49:38.760
structure data and locks entries Etc

0:49:38.760,0:49:41.240
media analysis this is a very complex

0:49:41.240,0:49:43.960
process because it's usually about atigo

0:49:43.960,0:49:47.200
or include testigo and this is about

0:49:47.200,0:49:50.040
image videos audios geolocation in

0:49:50.040,0:49:52.319
digital signatures Network traffic

0:49:52.319,0:49:56.359
analysis tools as why the Shar h but my

0:49:56.359,0:49:59.160
suggestion is that you use all the tools

0:49:59.160,0:50:02.119
that are part of the artificial

0:50:02.119,0:50:04.720
intelligence applications we can use

0:50:04.720,0:50:06.839
today and are available in the

0:50:06.839,0:50:10.520
market estigo is always complex okay

0:50:10.520,0:50:14.079
because stigo include not only image but

0:50:14.079,0:50:16.880
in many cases audio as well and this is

0:50:16.880,0:50:19.720
very complex time consuming you always

0:50:19.720,0:50:22.359
wants to make sure that you use the

0:50:22.359,0:50:24.359
appropriate estigo analysis techniques

0:50:24.359,0:50:27.160
and that are multiple specific for

0:50:27.160,0:50:29.960
volatile analysis as I mentioned before

0:50:29.960,0:50:33.440
there is multiple ways to do

0:50:33.440,0:50:37.599
data acquisition from RAM memory when we

0:50:37.599,0:50:41.240
turn off the computer all the data from

0:50:41.240,0:50:44.200
Ram doesn't goes off this is what

0:50:44.200,0:50:47.319
everybody said this is what Google said

0:50:47.319,0:50:48.960
this is what people that never do

0:50:48.960,0:50:51.920
forensic investigation repeat this is

0:50:51.920,0:50:54.920
not appropriate if you know how to do it

0:50:54.920,0:50:57.480
and again I make the presentation for e

0:50:57.480,0:51:00.440
councel in 2019 if you Google my name in

0:51:00.440,0:51:02.640
this presentation you will be able to

0:51:02.640,0:51:05.880
find a particular video in which I was

0:51:05.880,0:51:08.359
able to recover data from RAM memory

0:51:08.359,0:51:12.119
after the computer was took down took

0:51:12.119,0:51:15.000
down believe it or not go for the other

0:51:15.000,0:51:16.839
presentation that this is DC councel

0:51:16.839,0:51:19.079
database and you will be able to see the

0:51:19.079,0:51:21.640
video okay comparison you have to do

0:51:21.640,0:51:24.359
cross reference every single time to

0:51:24.359,0:51:27.040
make sure that the data you identify is

0:51:27.040,0:51:30.359
appropriate and you always identify

0:51:30.359,0:51:32.760
identity deviations and

0:51:32.760,0:51:35.240
inconsistency before you do the final

0:51:35.240,0:51:38.079
report I told you already when you

0:51:38.079,0:51:40.839
present the report in the court of law

0:51:40.839,0:51:44.359
and minimum mistake something minimum

0:51:44.359,0:51:46.839
will be disqualified in the case for

0:51:46.839,0:51:49.599
example in this presentation I include

0:51:49.599,0:51:53.480
IED by mistake this slide and this slide

0:51:53.480,0:51:56.000
if I do that in the in the court of flow

0:51:56.000,0:51:56.960
is

0:51:56.960,0:52:00.040
dismiss okay that's it it's no more

0:52:00.040,0:52:02.400
conversation the emotion analysis we

0:52:02.400,0:52:04.680
have talk about that we are talking

0:52:04.680,0:52:07.839
about persons digital evidence is always

0:52:07.839,0:52:11.920
related to people in process processes

0:52:11.920,0:52:14.839
applications Hardware software so we

0:52:14.839,0:52:17.920
want to make sure that what we present

0:52:17.920,0:52:20.160
is accurate and from the documentation

0:52:20.160,0:52:22.720
at some point it was the second point in

0:52:22.720,0:52:25.400
the presentation we have to document

0:52:25.400,0:52:28.240
everything reporting is about compiling

0:52:28.240,0:52:31.559
in a clear and comprehensive manner

0:52:31.559,0:52:33.720
including summaries methodologist and

0:52:33.720,0:52:35.880
supporting evidence you have to include

0:52:35.880,0:52:39.000
or at least in my case I always include

0:52:39.000,0:52:41.960
the recordings of everything I do

0:52:41.960,0:52:43.960
everything means even if I open my

0:52:43.960,0:52:46.280
personal email or if a notification come

0:52:46.280,0:52:48.799
to my computer and I open something in

0:52:48.799,0:52:52.640
my my in my WhatsApp for example this is

0:52:52.640,0:52:55.760
part of the recording as well okay so

0:52:55.760,0:52:58.359
you have to make sure that you provide

0:52:58.359,0:53:00.920
an expert testimony in order to do that

0:53:00.920,0:53:02.359
you have to be an expert in digital

0:53:02.359,0:53:06.000
currency Feer review consult with other

0:53:06.000,0:53:08.280
with your partners with the opponent

0:53:08.280,0:53:10.680
with the defendant part before you

0:53:10.680,0:53:12.240
present it's not that you are going to

0:53:12.240,0:53:14.799
modify to report because the defendant

0:53:14.799,0:53:16.640
doesn't like it this is not what I'm

0:53:16.640,0:53:18.920
telling you it's just that you are going

0:53:18.920,0:53:21.359
to provide the report and by the way you

0:53:21.359,0:53:24.119
must provide the report to the defendant

0:53:24.119,0:53:26.720
before you go to the Court by the time

0:53:26.720,0:53:28.480
you stand up in the court everything

0:53:28.480,0:53:30.240
needs to be done the other part need to

0:53:30.240,0:53:32.680
know exactly what you are going to

0:53:32.680,0:53:35.280
present this is how the legal systems

0:53:35.280,0:53:38.280
work okay with deceptions of very few

0:53:38.280,0:53:41.000
countries but in the world this is how

0:53:41.000,0:53:44.400
it work so the quality assurance is just

0:53:44.400,0:53:46.240
making sure that what you present is

0:53:46.240,0:53:49.480
appropriate the case management is how

0:53:49.480,0:53:51.400
you use the digital forensic and manage

0:53:51.400,0:53:53.680
system to track everything in analysis

0:53:53.680,0:53:56.440
process and from the data privacy

0:53:56.440,0:53:58.559
compliance I told you already every

0:53:58.559,0:54:00.440
single place every single City every

0:54:00.440,0:54:02.559
single state operate under different

0:54:02.559,0:54:04.920
conditions popular tool for digital

0:54:04.920,0:54:08.680
forensic few of those in Cas

0:54:08.680,0:54:11.720
autopsy Access Data everybody know how

0:54:11.720,0:54:14.559
is a forensic tool kit hway forensic

0:54:14.559,0:54:17.960
celebrity vola volatility wi sh

0:54:17.960,0:54:20.520
everybody most likely know oxygen

0:54:20.520,0:54:22.839
forensic detective and the digital

0:54:22.839,0:54:25.319
evidence and forensic tool kit so some

0:54:25.319,0:54:28.160
of those are included in Cali others do

0:54:28.160,0:54:31.359
not some are open source others are

0:54:31.359,0:54:34.119
extremely expensive for example in case

0:54:34.119,0:54:37.280
which is very very expensive some

0:54:37.280,0:54:39.280
relevant reference about digital

0:54:39.280,0:54:43.000
forensic I prefer to use keywords and

0:54:43.000,0:54:45.599
not particular reference or books

0:54:45.599,0:54:49.000
because I don't recommend any specific

0:54:49.000,0:54:51.960
book instead the combination of content

0:54:51.960,0:54:54.160
and knowledge and expertise but some

0:54:54.160,0:54:56.480
words or key words you can use if you

0:54:56.480,0:54:58.960
want to expand more in digital forensic

0:54:58.960,0:55:02.079
are digital forensic best practice

0:55:02.079,0:55:04.839
challenge iMobile digital forensic

0:55:04.839,0:55:07.000
Network forensic techniques Cloud

0:55:07.000,0:55:09.559
forensic investigations Internet of

0:55:09.559,0:55:12.839
Things forensic memory forensic analysis

0:55:12.839,0:55:14.799
because you want to stop repeating what

0:55:14.799,0:55:17.119
you have been learning for years when

0:55:17.119,0:55:19.160
you took down the computer with the

0:55:19.160,0:55:21.240
computer is turn it

0:55:21.240,0:55:24.119
off and there is a lot of data that

0:55:24.119,0:55:26.760
remains in r memory for a particular

0:55:26.760,0:55:30.520
amount of time of course okay so try to

0:55:30.520,0:55:32.880
expand on this topic malware analysis in

0:55:32.880,0:55:35.440
digital forensic and cyber security and

0:55:35.440,0:55:37.839
digital forensic Trends those are

0:55:37.839,0:55:41.240
keywords that will be facilitating your

0:55:41.240,0:55:44.280
expansion or you expanding on digital

0:55:44.280,0:55:48.240
forensic knowledge other

0:55:48.240,0:55:50.880
considerations are some particular

0:55:50.880,0:55:54.240
journals okay I in this case I'm going

0:55:54.240,0:55:56.799
to risk and recommend the digital

0:55:56.799,0:55:59.720
investigation that is published by xier

0:55:59.720,0:56:02.480
is one of the top in the world the other

0:56:02.480,0:56:04.599
one is the Journal of digital forensic

0:56:04.599,0:56:07.559
security and law and forensic science

0:56:07.559,0:56:12.160
International digital investigation

0:56:12.839,0:56:15.520
report I'm open to any question you may

0:56:15.520,0:56:19.319
have and one more time I want before I

0:56:19.319,0:56:22.440
close my lips I want to sincerely thank

0:56:22.440,0:56:25.160
you EC Council for another opportunity

0:56:25.160,0:56:27.760
to talk about this fascinating topic

0:56:27.760,0:56:29.880
thank you very much for all the staff in

0:56:29.880,0:56:34.079
the e Council that work tily who made

0:56:34.079,0:56:37.079
this presentation a possibility and

0:56:37.079,0:56:39.000
thank you so much as well for you guys

0:56:39.000,0:56:41.160
attending the conf the conference and

0:56:41.160,0:56:44.440
for the questions that you may

0:56:44.880,0:56:47.559
ask thank you very much Dr Lewis for

0:56:47.559,0:56:49.200
such an insightful and informative

0:56:49.200,0:56:50.760
session that was really a very

0:56:50.760,0:56:52.880
interesting webinar and we hope it was

0:56:52.880,0:56:55.480
worth your time too now now before we

0:56:55.480,0:56:57.280
begin with the Q&A I would like to

0:56:57.280,0:56:59.680
inform all the attendees that EC

0:56:59.680,0:57:03.119
council's CH maps to the forensic

0:57:03.119,0:57:05.319
investigator and the consultant digital

0:57:05.319,0:57:07.760
forensics anyone with the chfi

0:57:07.760,0:57:10.079
certification is eligible for 4,000 plus

0:57:10.079,0:57:12.200
job vacancies globally with an average

0:57:12.200,0:57:13.240
salary of

0:57:13.240,0:57:15.319
$95,000 if you're interested to learn

0:57:15.319,0:57:17.079
more andly take part in the poll that's

0:57:17.079,0:57:18.839
going to be conducted now let us know

0:57:18.839,0:57:20.240
your preferred mode of training and we

0:57:20.240,0:57:23.039
will reach out to you

0:57:23.799,0:57:26.599
soon

0:57:26.599,0:57:29.440
uh Dr L shall we start with the

0:57:29.440,0:57:32.119
Q&A yes I'm ready

0:57:32.119,0:57:35.319
for okay our first question is how to

0:57:35.319,0:57:38.640
prove in court of law that the collected

0:57:38.640,0:57:40.839
evidence is from the same object and not

0:57:40.839,0:57:43.160
collected from any other

0:57:43.160,0:57:46.400
object this is a very important question

0:57:46.400,0:57:48.720
I really appreciate the clarification on

0:57:48.720,0:57:51.640
this topic as I said we have to be very

0:57:51.640,0:57:53.520
careful about the way we collect the

0:57:53.520,0:57:56.400
data when we are talking about objects

0:57:56.400,0:57:59.760
objects are associated to bits not to

0:57:59.760,0:58:02.359
bikes only but Bits And as I mention

0:58:02.359,0:58:05.760
multiple times when we do the copy of

0:58:05.760,0:58:08.680
the original data we want to make sure

0:58:08.680,0:58:11.960
that we always do bit by bit when you do

0:58:11.960,0:58:16.640
bit by bit and not B by B because a bit

0:58:16.640,0:58:21.599
implies up to 3.4 volts in electricity

0:58:21.599,0:58:24.119
we are eliminating the possibility of

0:58:24.119,0:58:27.839
mistake objects are bigger a bit do not

0:58:27.839,0:58:31.039
constitute an object objects are formed

0:58:31.039,0:58:34.200
by multiple bits this is why we have to

0:58:34.200,0:58:37.039
do the analysis bit by bit and I

0:58:37.039,0:58:40.240
mentioned that multiple

0:58:42.079,0:58:44.200
times thank you for answering that

0:58:44.200,0:58:46.520
question our next question is what kind

0:58:46.520,0:58:48.839
of forensic data can we obtain from the

0:58:48.839,0:58:51.039
encrypted data where the key is not

0:58:51.039,0:58:53.720
available to decrypt the

0:58:53.720,0:58:58.280
data could you please repeat the

0:58:58.520,0:59:01.520
question what kind of forensic data can

0:59:01.520,0:59:04.079
be obtained from the encrypted data

0:59:04.079,0:59:05.880
where the key is not available to

0:59:05.880,0:59:08.599
decrypt the

0:59:09.319,0:59:13.039
data you encryp

0:59:13.039,0:59:16.119
data uh I'll just P the question to you

0:59:16.119,0:59:19.599
on chat uh Dr

0:59:19.599,0:59:23.200
Ls I'm not watching the chat right now

0:59:23.200,0:59:26.640
something happened

0:59:28.319,0:59:30.359
I'm not watching the

0:59:30.359,0:59:34.680
shat sorry H long hello hello hello can

0:59:34.680,0:59:35.960
you hear

0:59:35.960,0:59:39.960
me yes I can hear you yes I have posted

0:59:39.960,0:59:43.440
the question on the chat Dr leis okay

0:59:43.440,0:59:47.480
okay please yes I have already pasted

0:59:47.480,0:59:50.599
okay let me check

0:59:53.640,0:59:56.400
here

0:59:56.400,0:59:59.680
okay give me a second okay what kind of

0:59:59.680,1:00:01.400
forensic data can be obtained from

1:00:01.400,1:00:04.799
encrypted data oh okay okay well this is

1:00:04.799,1:00:07.240
another misperception okay everybody

1:00:07.240,1:00:09.799
knows that when the data is encrypted we

1:00:09.799,1:00:12.640
cannot open the data or the particular

1:00:12.640,1:00:16.079
file document video any kind of Digital

1:00:16.079,1:00:18.520
forening Data let me tell you something

1:00:18.520,1:00:21.000
there are multiple forensic tools that

1:00:21.000,1:00:23.599
have the ability to decrypt the data

1:00:23.599,1:00:26.079
even when we don't have the key this and

1:00:26.079,1:00:28.640
I understand the key component and I

1:00:28.640,1:00:30.039
understand that the two type of

1:00:30.039,1:00:32.599
encryptions symmetric and asymmetric and

1:00:32.599,1:00:34.760
as I said I have multiple Publications

1:00:34.760,1:00:35.960
about

1:00:35.960,1:00:40.160
encryption ER but there is most likely

1:00:40.160,1:00:43.839
always the possibility to encrypt data

1:00:43.839,1:00:47.480
without having the encryption key I

1:00:47.480,1:00:49.559
understand that it doesn't sounds

1:00:49.559,1:00:52.280
popular it's not what we hear every

1:00:52.280,1:00:55.160
single time but when we spend specialize

1:00:55.160,1:00:58.520
on digital forensic we have usually the

1:00:58.520,1:01:01.839
tools we need to decrypt the data

1:01:01.839,1:01:04.319
especially if you are using artificial

1:01:04.319,1:01:07.400
intelligence also in the government at

1:01:07.400,1:01:09.280
least in the US government in my

1:01:09.280,1:01:12.160
operation in the operation I direct I

1:01:12.160,1:01:14.640
handle I supervise we are using

1:01:14.640,1:01:16.480
artificial intelligence for multiple

1:01:16.480,1:01:19.599
things in cyber security since

1:01:19.599,1:01:22.319
2017 and we are also using Quantum

1:01:22.319,1:01:24.760
Computing Quantum Computing is not not

1:01:24.760,1:01:28.839
coming quantum computer is in use in the

1:01:28.839,1:01:31.559
US government for years now so we are

1:01:31.559,1:01:34.520
using Quantum Computing for years there

1:01:34.520,1:01:37.319
are multiple ways to decrypt the data

1:01:37.319,1:01:40.640
when the encryption key is not available

1:01:40.640,1:01:42.720
multiple ways multiple applications as

1:01:42.720,1:01:45.319
well that help with the process it's

1:01:45.319,1:01:47.799
very time consuming but there is a

1:01:47.799,1:01:50.760
possibility for that and this is a great

1:01:50.760,1:01:53.240
question because the question is okay

1:01:53.240,1:01:55.559
how about the hard drive is encrypted

1:01:55.559,1:01:57.760
there is nothing that I can do right no

1:01:57.760,1:02:00.000
this is not like that there is always

1:02:00.000,1:02:02.480
ways to decrypt the data always it

1:02:02.480,1:02:04.920
doesn't matter how strong the encryption

1:02:04.920,1:02:06.960
is but you need to have the appropriate

1:02:06.960,1:02:09.640
tools of place for example I'm going to

1:02:09.640,1:02:13.319
mention just one in case when I present

1:02:13.319,1:02:17.319
this some tools that I suggest before I

1:02:17.319,1:02:20.839
said that in case is very expensive in

1:02:20.839,1:02:24.079
case do magic between quotation man in

1:02:24.079,1:02:26.240
case do multiple things that we don't

1:02:26.240,1:02:28.799
learn in the school

1:02:28.799,1:02:31.760
okay so I can see the other question

1:02:31.760,1:02:33.839
here how to adapt to investigation in

1:02:33.839,1:02:35.880
the cloud since the clouds provided do

1:02:35.880,1:02:38.160
not allow most of important operation to

1:02:38.160,1:02:41.520
access media when you have to do a case

1:02:41.520,1:02:45.400
or conduct digital forensic in the cloud

1:02:45.400,1:02:48.799
the cloud providers 99% of the time I

1:02:48.799,1:02:50.520
don't want to say 100 because I don't

1:02:50.520,1:02:52.960
want to risk on that but usually the

1:02:52.960,1:02:56.480
cloud providers include in the SLA in

1:02:56.480,1:02:58.520
the service level agreement what is

1:02:58.520,1:03:01.599
going to happen if a digital forensic or

1:03:01.599,1:03:04.160
any kind of Investigation needs to do

1:03:04.160,1:03:08.079
needs to be performed in the cloud space

1:03:08.079,1:03:11.079
so most likely the cloud operator is

1:03:11.079,1:03:13.599
going to facilitate access to everything

1:03:13.599,1:03:16.359
you need sometime you have to move and

1:03:16.359,1:03:19.319
go physically to the place in which the

1:03:19.319,1:03:20.960
data is

1:03:20.960,1:03:23.480
host don't believe that the cloud

1:03:23.480,1:03:25.640
provider doesn't know where the data is

1:03:25.640,1:03:28.920
host we know where the data is host

1:03:28.920,1:03:31.400
specifically I have been in San Diego

1:03:31.400,1:03:34.119
California and another States in Hawaii

1:03:34.119,1:03:35.799
back in

1:03:35.799,1:03:38.440
2019 as well doing forensic

1:03:38.440,1:03:40.839
investigation in a cloud environment it

1:03:40.839,1:03:43.079
was actually for something government

1:03:43.079,1:03:46.480
related and I was given the permission I

1:03:46.480,1:03:49.279
need to do any kind of Investigation so

1:03:49.279,1:03:52.000
Cloud providers facilitate forensic

1:03:52.000,1:03:54.640
analysis because forensic analysis are

1:03:54.640,1:03:58.079
usually related to legal cases there are

1:03:58.079,1:04:01.039
multiple cases in which in USA we don't

1:04:01.039,1:04:02.760
have access to this data and I'm going

1:04:02.760,1:04:06.599
to mention an example Tik Tok Tik Tok

1:04:06.599,1:04:08.640
the problem between the US government

1:04:08.640,1:04:11.839
and Tik Tok is that when Tik Tok get the

1:04:11.839,1:04:14.839
authorization to operate in USA the

1:04:14.839,1:04:18.559
government was one step behind behind

1:04:18.559,1:04:21.079
Okay and we don't regulate Tik Tok at

1:04:21.079,1:04:25.200
this point Tik Tok has the ability to

1:04:25.200,1:04:28.279
prevent forensic investigation in the

1:04:28.279,1:04:31.400
Tik Tok platforms for the US government

1:04:31.400,1:04:34.599
cour system or legal system okay but

1:04:34.599,1:04:37.680
again usually Cloud providers facilitate

1:04:37.680,1:04:40.760
investigation in the cloud 100% they

1:04:40.760,1:04:43.240
cooperate in every single manage they

1:04:43.240,1:04:48.000
have to facilitate the forensic

1:04:49.799,1:04:51.720
investigation thank you for answering

1:04:51.720,1:04:53.880
that question uh we'll take last

1:04:53.880,1:04:56.839
question for the day uh what is the best

1:04:56.839,1:05:00.279
open source free tools for social media

1:05:00.279,1:05:03.559
forensics there is no best open source

1:05:03.559,1:05:05.640
tool that is a combination of tools

1:05:05.640,1:05:08.559
number one digital forensic cannot be

1:05:08.559,1:05:10.640
performed categorically speaking with

1:05:10.640,1:05:14.520
one or two tools this is a complex time

1:05:14.520,1:05:18.240
consuming and expensive process I made

1:05:18.240,1:05:21.160
some suggestions it's included in the

1:05:21.160,1:05:26.079
slide ER let me see a slide

1:05:27.319,1:05:29.400
slide

1:05:29.400,1:05:31.000
number

1:05:31.000,1:05:34.119
16 okay this is the slide in which I

1:05:34.119,1:05:37.400
include in case autopsy the S some of

1:05:37.400,1:05:40.520
them are upper cases as I I'm sorry open

1:05:40.520,1:05:43.359
source as I mentioned before but there

1:05:43.359,1:05:46.039
is not a particular tool or two or three

1:05:46.039,1:05:48.119
tools that I will recommend because in

1:05:48.119,1:05:52.319
top of that every single forensic

1:05:52.319,1:05:54.640
investigation is about the different

1:05:54.640,1:05:57.440
process you cannot use the similar tools

1:05:57.440,1:06:00.720
this is why there are very at least in

1:06:00.720,1:06:04.400
USA very small amount of organizations

1:06:04.400,1:06:07.039
companies that specialize in digital

1:06:07.039,1:06:10.440
forensic as my company does the reason

1:06:10.440,1:06:13.520
why is because between many other things

1:06:13.520,1:06:15.920
lack of expertise and

1:06:15.920,1:06:19.240
expenses okay so I do not recommend a

1:06:19.240,1:06:21.799
particular tool instead the combination

1:06:21.799,1:06:24.440
of tools there are multiple open source

1:06:24.440,1:06:27.799
I mention a few in a slide number 16 of

1:06:27.799,1:06:30.760
my PowerPoint presentation but again

1:06:30.760,1:06:33.279
those are not sufficient those are the

1:06:33.279,1:06:35.559
most popular and

1:06:35.559,1:06:39.480
strong ER more accurate uh tools that

1:06:39.480,1:06:41.760
you can use for digital forensic but a

1:06:41.760,1:06:43.680
particular tool one or two to do

1:06:43.680,1:06:47.160
forensic investigation it doesn't exist

1:06:47.160,1:06:49.839
is impossible

1:06:51.720,1:06:54.039
doesn't thank you again to our wonderful

1:06:54.039,1:06:56.000
speaker Dr Lewis for answering those

1:06:56.000,1:06:57.960
questions and for the great presentation

1:06:57.960,1:06:59.720
and knowledge shared with our Global

1:06:59.720,1:07:01.720
audiences it was a pleasure to have you

1:07:01.720,1:07:03.559
with us and we are looking for more and

1:07:03.559,1:07:05.200
more sessions with you before we

1:07:05.200,1:07:06.880
conclude the webinar Dr LS would you

1:07:06.880,1:07:08.240
like to give a small message to our

1:07:08.240,1:07:10.680
audiences

1:07:10.680,1:07:14.160
please well no just want to thanks

1:07:14.160,1:07:16.760
everybody again the one that work

1:07:16.760,1:07:21.160
tiously behind the presentation to you

1:07:21.160,1:07:23.559
in e Council as always thank you very

1:07:23.559,1:07:25.440
much for the support for all the

1:07:25.440,1:07:28.000
attendees I hope you learn something new

1:07:28.000,1:07:31.559
let me clarify that every single content

1:07:31.559,1:07:34.160
wording words Etc that I have been

1:07:34.160,1:07:36.559
presenting for you is my original

1:07:36.559,1:07:39.119
creation 100% not

1:07:39.119,1:07:42.920
99.99 but 100% categorically speaking

1:07:42.920,1:07:44.960
and I put together those notes and

1:07:44.960,1:07:47.960
reflection for you guys with the hope

1:07:47.960,1:07:49.440
that you can come back to your

1:07:49.440,1:07:52.359
organization and ser better that you can

1:07:52.359,1:07:54.760
become a public servant

1:07:54.760,1:07:57.119
ER and go to the court and testify in

1:07:57.119,1:08:00.799
favor of the park that deserve your

1:08:00.799,1:08:03.599
benefits and I sincerely thank you for

1:08:03.599,1:08:05.599
the opportunity to share my expertise

1:08:05.599,1:08:08.640
with you guys have a nice weekend okay

1:08:08.640,1:08:10.200
thank you very much for the time in

1:08:10.200,1:08:13.160
question thank you so

1:08:14.279,1:08:16.920
much thank you so much Dr Louis for your

1:08:16.920,1:08:19.120
message before we end the session I

1:08:19.120,1:08:20.479
would like to announce the next cyber

1:08:20.479,1:08:23.040
talk session why are strong foundational

1:08:23.040,1:08:24.759
cyber securities skills essential for

1:08:24.759,1:08:26.960
every IT professional which is scheduled

1:08:26.960,1:08:29.279
on November 8 2023 this session is an

1:08:29.279,1:08:31.439
export presentation by Roger Smith

1:08:31.439,1:08:34.279
director car Managed IT industry fellow

1:08:34.279,1:08:36.719
at Australian Defense Force Academy to

1:08:36.719,1:08:38.359
register for this session please do go

1:08:38.359,1:08:40.399
visit our website

1:08:40.399,1:08:43.439
www.ccu.edu cybert talks the link is

1:08:43.439,1:08:45.279
given in the chat section hope to see

1:08:45.279,1:08:48.000
you all on November 8th with this VN the

1:08:48.000,1:08:49.880
session with this you may disconnect

1:08:49.880,1:08:52.080
your lines thank you thank you so much

1:08:52.080,1:08:55.238
Dr leis pleasure having you

1:08:55.238,1:08:57.319
likewise thank you very much for the

1:08:57.319,1:09:01.920
opportunity thank you have a good day