Hello, everyone, and welcome to today's

session on digital forensics: best practices

from data acquisition to analysis. I'm

Shilpa Goswami, and I'll be your host

for the day. Before we get

started, we would like to go over a few

house rules for our attendees. The

session will be in listen-only mode and

will last for an hour, of which the

last 15 minutes will be dedicated to Q&amp;A.

If you have any questions during the

webinar, for our organizers or

speakers, please use the Q&amp;A window. Also, if you

face any audio or video challenges, please

check your internet connection or you

may log out and log in again. An

important announcement for our audience:

we have initiated CPE credit

certificates for our participants. To

qualify for one, attendees are required

to attend the entire webinar and then

send an email to cyber talks at eccouncil.org,

after which our team will

issue the CPE certificate. Also, we would

like to inform our audience about the

special handouts. Take a screenshot of

the running webinar and post it on your

social media, LinkedIn or Twitter, tagging

EC Council and Cyber Talks. We will

share free handouts with the first 15

attendees. As a commitment to closing the

cybersecurity workforce gap by creating

multi-domain cyber technicians, EC Council

pledges $3,500,000 towards ECT

Education and Certification Scholarships

to certify approximately 10,000 cyber

professionals ready to contribute to the

industry. Did you know that you can be

part of the lucrative cybersecurity

industry? Even top companies like Google,

Microsoft, Amazon, IBM, Facebook, and Dell

all hire cybersecurity professionals.

The cybersecurity industry has a 0%

unemployment rate. The average salary

for an entry-level cybersecurity job is

about $100,000 per year in the United

States. Furthermore, you don't need to

know coding, and you can learn from home, and

you get a scholarship to kick-start your

career. Apply now. EC Council is pledging

a $3,500,000 CCT scholarship for cybersecurity

career starters. Scan the QR

code on the screen to apply for the

scholarship. Fill out the form.

Now, about our

speaker Dr. Luis. Dr. Luis Noguerol is the

Information Systems Security Officer for

the U.S. Department of Commerce, NOAA,

where he oversees the cybersecurity

operation for six states in the

Southeast Region. Dr. Luis is also the

President and CEO of the Advanced

Division of Informatics and Technology,

Technology INC, a company that focuses on

data recovery, digital forensics, and

penetration testing. He is a world-renowned

expert in data recovery, digital

forensics, and penetration testing. He

holds multiple globally recognized

information technology and cybersecurity

certifications and accreditations

and is the recipient of multiple awards

in technology, cybersecurity, and

mathematics. He currently serves pro bono as

an editorial board member and reviewer for the

American Journal of Information Science

and Technology, and is a member of the

prestigious high-edging professor program for

undergraduate and graduate programs at

multiple universities in the U.S. and as a

reviewer for the doctoral program at the

University of Karachi in Pakistan. He is

the author of multiple cybersecurity

publications and articles, including Cybersecurity

Issues in Blockchain: Challenges and

Possible Solutions. He is also one of

the co-authors and reviewers of the

worldwide acclaimed book, Intrusion

Detection Guide.

Prior to obtaining his doctorate

degree in Information Systems and

Technologies from the University of

Phoenix, Dr. Luis earned a Bachelor's in

Science and Radio Technical and

Electronic Engineering, a

Bachelor of Science in

Telecommunications and Networking, and a

Master of Science in Mathematics and

Computer Science.

Without any further delay, I will

hand over the session to you, Dr. Luis.

Thank you very much. Thanks. Okay.

Good morning, everybody. Good afternoon, and

good night, depending on the specific

area in which you reside. We are going to

have an interesting conversation today

about digital forensic best practices

from data acquisition to analysis. This

is the title of the presentation or

subject, and I’m more than happy to be

here with you all and share some of

my expertise. So, let's go ahead and start the conference,

okay? She already mentioned

some of my credentials.

I have been working in cybersecurity

at this point for over 41 years.

This is in my DNA, a topic that I didn’t

like and respect as much as I cannot

talk about any other topic in my life.

Before we go, I have here a statement that

I put together for you, okay? Digital

forensic best practices. Well,

consideration number one: just to break

the ice in the labyrinth of

cyberspace, where shadows dance through encased

passages and data whispers its secrets, the

digital detective emerges. This is us, the

digital forensic experts. Clad in lines of

code and armed with algorithms, we seek

the hidden treasures of truth and

solving enigmatic cybercrimes. With a visual

magnifying glass, this is what we do: we

dissect the digital tapestry,

unveiling the footprints of elusive

cyber cultures. This is what cyber forensics, or

digital forensics, is about. Each keystroke and

pixel holds a clue, something that we can

use in our favor. And in this mesmerizing

world of the digital era, ones and zeros,

the art of digital forensics is about

finding the secret of the digital reality. Digital

forensics is about finding evidence

that can lead to a particular process. It

can be a legal process, or it can be any

other kind of process. But what is

digital forensics from my point of view?

Well, I mentioned earlier that I've

been working in cybersecurity for 41 years.

My specialties are in penetration

testing, data recovery, and digital forensics.

I’ve been working for the

police department in multiple places

doing digital forensics for them. So I try to

put together an easy definition for you from my

standpoint about what digital forensics

is. Digital forensics investigates digital

devices and electronic data to use as

evidence. Please note that I don’t say

electronic information; I use the word "data"

intentionally to understand digital events

and trace illicit activities. This is a key

component of digital forensics. Normally

speaking, digital forensics happens, of

course, after the facts, and the idea of

digital forensics is identifying traces,

okay, that lead to particular data that

we can gather together and make a

conclusion. It involves the systematic

collection, preservation, analysis, and

presentation of digital evidence in

legal proceedings. This is key

today because we are technology-dependent,

and there are multiple states,

at least in the USA and some other countries,

where digital forensics is still in

limbo because it's not accepted in the

court of law. Okay. So, this is very

important to keep in mind. What are we

going to do from the digital forensics

standpoint, the data collection process,

and the analysis? Digital forensics

experts use specialized techniques and

tools to extract data from computers,

smartphones, networks, and digital storage

media to support investigations and

resolve legal matters. So this is

basically what digital forensics is

about. Let's go ahead and start with the

technical part, which is the topic I like

most. Okay, let's talk about those

30 best practices that I’ve put

together for you. At the end of the

presentation, you will have the

opportunity to ask as many questions as

you like. 1. You have to

follow the legal and ethical standards:

For this particular first point, I am not

going to make any comment. I believe that

ethics is a key component

of cybersecurity. We always

have to follow the rules. We must always

follow the legal procedures in the

places in which we operate because every

single place is a different component.

2. Understand the original evidence:

This is key. Okay. You always have to

maintain the integrity of the original

evidence to ensure it is admissible in

court. Any kind of manipulation

or modification will result in

disqualification from the court system.

Document everything: This is something

that technical people like me don’t

like too much, but when it comes to

digital forensics, we have to document

every single step we take. We have to

record all the steps we

follow, and we want to make sure that

everything is documented and recorded in

a specific chronological order. This is

a key component for digital

forensics or investigations to be accepted

in the court of law. Secure the scene:

It’s not just physical

crime scenes that need to be secured to prevent

contamination or tampering.

If you present anything in court and

the opposing party

has the ability to prove that

something was not preserved, the

conversation is over. Chain of custody:

I’m going to repeat this more than

once during the presentation. Sorry.

Chain of custody refers to how you

establish and maintain

the evidence and the process

that facilitates how the

tracking process is handled. Use-Write-

Blocking Tools: This is another key

component of digital forensics. It means

that you have to use the appropriate

hardware and software that allow for

write blockers when you are collecting

data to prevent alteration. There are a

set of tools you can use, and at the end

of the presentation, I’m going to provide

you with a specific set

of tools you can use as write-blocking

tools. Verify hashing or hash

values. This is how you calculate and compare

hash values to verify the data's integrity.

There is often confusion about integrity,

confidentiality, and availability. In

digital forensics, the most important

component is integrity. It means that we

must make every effort to

ensure that the data is not modified in

any possible way, from the time we

arrive at the scene

to the time we present the evidence

in court and even after that as well. So

other component is Collect volatile data

first. Okay, this obviously makes perfect

sense. You have to prioritize this

type of data collection as it can be

lost or modified when the system is

powered down. For many of you, what I’m

going to tell you may

sound not appropriate, and this is the

following assessment:

we've been told from the time we

arrived at school and even at work

that information or data in random access memory (RAM) disappears when the

computer is shut down. Back in 2019,

I made a presentation similar to

this one for this account, in

which I proved that the data in RAM

can be recovered. Okay. So, what we have been

learning in multiple places, and what you can

easily find on Google, that data in RAM

is lost when

computers are powered down, is not

exactly correct. The other component is

Forensic image. You have to create a

forensic image of storage devices to

work with copies. You must always

present the original evidence. This is a

requirement in the court of law. You must

present the original evidence every single

time. The other component is the Data

recovery. Data recovery is closely

associated with digital forensics for

obvious reasons. Okay. You have to

employ specialized tools to recover

deleted or hidden data. This is also

something to keep in mind. At the end,

I'm going to provide some specific

applications you can use to do data

recovery.

Timeline analysis: You must construct

and analyze timelines to understand the

sequence of events. What happened first? The

chronological order is a mandatory

requirement in the court of law. You

cannot present evidence in court

in a random manner. You have to

follow the specific chronological order.

The other consideration is Preserving

the metadata. Ensure metadata integrity

to verify results, timing, and

authenticity of the digital artifacts you

are going to present in the court of law.

Use known good reference data: This

means you have to compare the

collected data with known

good reference data to identify

anomalies, specific patterns, and

statistical processes. Many times, you have

to do this as well. Antiforensic

awareness: You have to be aware of the

antiforensic techniques in use.

There are multiple applications

that work against digital forensics. So,

you must be aware of that. Before

you start digital forensics analysis,

while working on the data collection

process, you want to make sure you

don't have any anti-forensic

tools or applications installed on the

particular host or hosts in which you are

going to conduct the investigation. Another

very important component is Cross-validation.

This is what brings actual

reputation and respect to the data you

are presenting in the court of law. Okay?

So the standard operating procedures are a

very important component that is oftentimes

overlooked, and it's about

developing and following SOPs that

maintain consistency. This is

why documentation is key, and it was

presented in slide number one. Training

and certification are also important components, and

this is relevant. The reason why it's

relevant is that I understand you can learn

many things by yourself. This is becoming

more popular as we become more

technology-dependent. This is normal

and expected, but certifications still

hold particular value. There are

multiple questions in certification

exams, in general terms, not only in EC-Council

certifications or others, in which,

most likely, if you don't go through the

certification process, you will never

find out. And this is what

some people say: "Well, this is

theoretical information." Digital forensics

involves a lot of theoretical information--

A LOT. Remember that we are doing the

analysis at a low

level, from the technical standpoint. So

theory is extremely important and

relevant when we do forensic

investigations--digital forensics. The same

happens with medical doctors. When

medical doctors do a forensic

analysis of a body of someone who

passed away, they also employ a lot of

theoretical knowledge they have been

accumulating. Digital forensics is no

different.

The other consideration is expert

testimony. Okay? I, for example, live

in Miami, Florida, in the USA, and I am one of the

11 experts certified by the legal system

in the 11 districts. This means that when you

go to court, you have to be

classified as an expert in order to

provide comments and evidence. Otherwise, you will

probably not be able to speak in court,

as what we say

in court is relevant for the case.

And with our wording or statement,

along with the evidence we provide, we have

the ability to put somebody in jail or

release this person from jail.

So, this is extremely important. Okay? So,

evidence storage is one of the most

important components. Your opponent in

court or in your company will try

their best to challenge what you

are presenting. So, you have to safely

store and protect evidence to maintain

its integrity. Integrity is the most

important characteristic or

consideration in digital forensics--

without any other factor coming close. So, integrity

is everything in digital forensics. Okay?

Data encryption: There are multiple cases

in which you will do digital

forensics on encrypted storage devices,

encrypted data, or encrypted

applications. You need to develop the

ability to handle encrypted data

and understand the encryption methods.

Among the publications I have, I have

over 25 publications on different

topics and concepts within security. A

few of them, probably five or six, are

specifically about encryption. If we want

to do digital forensics, we must become

data encryption experts. There is no other

way. I understand that many people

don’t like math, statistics, physics, etc.,

but this is a requirement for doing an

appropriate digital forensic assessment.

It’s a necessity today. Okay? The other

consideration, and this is for the people

who love technology like me attending

or watching this conference, is network. I

am a big fan of networks. I have been

working in networking for 41 years.

My doctoral degree is in

telecommunications and cybersecurity. So,

networking is in my DNA. I love networking more than

any other topic in information

technology. Network analysis is the

ability to analyze network

traffic logs and data to trace digital

footprints. I’m pretty sure

everyone has a tool of mine, and, of course,

this tool is most likely part of the

tools I’m going to

provide in the last slide for you.

But network analysis today, from a

digital forensics standpoint, is

everything. Everything is network-related in

one or another way. Malware analysis: We

need to develop the ability to

understand malware behavior and analysis

and how those malwares impact systems.

This needs to be incorporated as part of

the cybersecurity analysis when

performing digital forensics today. Cloud

forensics: I don’t have to highlight how

important cloud operations are. Okay? We are

moving operations to the cloud, and

for those still

running operations on-premises, there is

a high expectation that sooner rather than

later, you will move operations to the cloud for

multiple conveniences. However, the

configuration at this point does not fully

benefit all aspects of the cloud. From

a forensic standpoint, when you do

cloud forensics, the situation is a little

different from

on-premises investigations. So, you have to

adapt methodologies for investigating

data in the cloud, regardless of the

cloud provider. Here, as a matter, you can see

AWS, Google, Azure, or anyone else.

The operation in the cloud is somehow

different from a digital forensics

standpoint, starting with how you

access the data.

Remote forensics: Remote forensics is the opportunity

to develop skills for collecting and

analyzing data from a remote location.

This is happening more frequently now as

we become more telework-dependent.

In multiple cases--my own company, for example, knowing my

job with the government, but owning my own

company--I have been doing more remote digital forensics in the last

two, three years, probably two years.

Digital forensics that

than probably ever before in my life. So, this

is an important skill to develop as well.

Case management: This is how we use

digital forensics case management to

organize and track investigations. I mentioned to

you that I go to court very often--more

often than I want, very, very often.

Okay. And they scrutinize every

single protocol you present, every single

artifact, every single document, and the

specific chronological order. This is a

complex process. It’s not just collecting

the data, performing the digital forensics

analysis, and going to court to testify.

Okay? The process is much more

complex than this.

Collaboration: Collaborate with other

experts and there's one in the middle

that I'm going to highlight in a few.

Collaborate with other experts, law

enforcement, or organizations for complex

cases. Cases are different from one another.

Of course, this is okay, and I know you

know that. Okay? But you have some cases

sometimes in which the forensic analysis

becomes very complex. In those particular

cases, my advice is to collaborate with

others. Okay? You do better when you work

as part of a team and not when you work

independently. I’ll skip the data

privacy compliance for a minute because

this is relevant. Every single state,

every single... No

exception. A state court operates on the

different requirements. So, you want to

make sure that you follow the privacy

regulations in your specific place. Okay?

And by the way, I'm going to ask you a

question. I'm not expecting any response.

But the question is: by any chance, do you

know the specific digital forensic

regulations in the place you live? Ask

yourself this question, and probably some

of you are going to respond "no." This is a

critical thing. Continuous learning: You

need to keep asking about what we do. Okay?

Cybersecurity is an specialization of IT. From

my point of view, it's the most fascinating

topic in the world. This is

the only topic I can talk about

for 25 hours without drinking water.

This is my life. I dedicate multiple

hours every single day, seven days a week,

even when it creates some personal

problems with my family, etc. This is in

my DNA. I encourage each of you, if you

are not doing so, to dedicate your life to

become a digital forensics expert. Digital

forensic is one of the most fascinating

topics in the planet. Okay. And you want

to be attentive to these type of things.

Report and presentation: When you go to

the court or when you present your

outcomes of all the digital forensic

outcomes to your organization, you want

to make sure that you use clear

language, you are concise, and you are

ready for the presentation questions and

answers. You never want to go to the

court unprepared. Okay? Never in your

life. This is not appropriate because, at

the end your assessment, you have the

possibility to put somebody in jail or

somebody will be fired from the

organization or not. So what we said is

relevant. Our wording has a huge impact

in other people's lives. It's important

to be attentive to that. One of the most

relevant topic that I have been using in

my practice is the use of artificial

intelligence in digital forensic. Since

2017, this is not a topic that is well

known. At this point, the reason why I

really want to share my experience--

practical experience with you guys,

digital evidence analysis, how artificial

intelligence can help us. Well, everybody

knows that we have multiple applications

that we can use in order to analyze

the different kind of media that can be

generated. For example, text, image, and

videos, artificial intelligence studies

have the ability to detect and flag

potential relevant content for

investigations, especially from the

timing standpoint. Digital forensic is

extremely time consuming, very, very

time consuming and complex. This is

probably along with data recovery the

most complex specialization in

cybersecurity. So the use of artificial

intelligence, in our favor, is very

convenient. And at the end, I'm going to

include as well or actually I included

in the list a particular artificial

intelligence tool that you can use in

your favor. The other use of artificial

intelligence is pattern

recognition. Artificial intelligence can

identify patterns in data, helping

investigators recognize anomalies or

correlations in digital artifacts that

may indicate criminal activity.

Out of the whole sentence, the most

important question is: "What is the key word?" The key word,

correlation. How do we correlate data by

using artificial intelligence? The

process is going to be simplified

dramatically. Speaking based on my

personal experience, the other component is

NLP. This can be used to analyze

text-based evidence, including logs

and emails, to uncover communication

patterns or hidden minutes. A lot of

evidence that we collect, about

65%, is included in emails, chats,

documents, etc., so this is when NLP plays

a predominant role in artificial

intelligence in the digital forensic

analysis for image and video analysis. It provides

incredible benefits. Okay? You have the

ability to analyze multimedia

content to identify objects, people, and

potentially illegal or

sensitive content. I’m sure a word

is coming to your mind right now, steganography.

Yes, this is part of steganography, but it's

not similar to doing steganography by using a

particular application. When you

employ artificial intelligence tools

that are dedicated exclusively to

digital forensics, the benefit is really

awesome. Predictive analysis: Machine

learning models can predict potential

areas of interest in an investigation,

guiding forensic experts to focus on

critical evidence. Imagine that you are

analyzing a hard drive that is one

terabyte holds a lot of

documents, videos, pictures, sounds, etc. You

know that, right? If you are

attending this conference, it’s because you

are very familiar with information

technology, cybersecurity, and digital forensics.

Well, how do you find the specific data you

need to prove something in a court of

law? You have to be very careful

about the pieces of data you pick for

the analysis, otherwise, your

assessment is not appropriate. And again,

every single word we say in a court

of law or in the organization we

are working for is relevant. It implies

that probably somebody will be in jail

for 30 years, or probably somebody, if we’re

talking about a huge crime like an

assassination or child pornography abuse,

will face consequences like death. Our

assessment is critical. Okay? We become

the main players when

digital forensics is involved. We have to

be very careful about the way we do it.

This is not a joke; it's very serious. Okay?

Predictive analysis, machine learning

models, or artificial intelligence are

pretty close in this concept and can predict

potential areas of interest in an

investigation. But we also talk about

detection. Artificial intelligence

driving security tools can identify

cyber threats and potential cybercrime

activities, helping law enforcement and cybersecurity

teams respond effectively and

proactively. More importantly, the

majority of us have multiple tools that

we call proactive

in our place of work. Okay? We

have different kinds of monitors, etc. But

the possibility to do something in a

proactive mode is really what we want.

Evidence authentication: Artificial

intelligence can assist in the

authentication of digital evidence,

ensuring its integrity and the

possibility of this data being admitted

in court. Data recovery: Artificial

intelligence helps with the recovery of

data that has been deleted

intentionally or unintentionally. It

doesn't matter. When we do digital

forensics, we want to have as much data as

we can to make a case

against a particular party. From the

malware analysis standpoint,

artificial intelligence brings a lot of

speed, and this is needed because, again,

you are looking for a needle in a ton of

water or in a ton of sand, and this

is very complex. From the network

forensic standpoint, we are accustomed to

using tools such as Wireshark, which everybody

knows, well, anyway,

there are now specific artificial

intelligence tools for network forensic

analysis. I have included two of

those tools in the list on the last

slide. Automated trace: This is one of the

most important considerations for you to

consider with artificial intelligence in

digital forensics. Speed is key. It’s basically

the ability to do

correlation between large data sets. Case

priority: Artificial intelligence can

assist investigators in

prioritizing cases based on factors like

severity, potential impact, or resource

allocation, meaning timing.

Predictive policing: This is super important

because, until today, digital forensics has

always been reactive. We react to

something that happened. The possibility to

make predictions in digital forensics is

fantastic. It has never happened before.

This is new, at least for me. I started

using artificial intelligence back in my own

company in 2017, and I have been able to

that in

multiple cases for the police department

in Miami and in other two cities in

Florida: Tampa and St. Petersburg. The

results have been amazing. Document

analysis: You know that NLP can extract

information from documents and analyze

sexual content for investigations.

Artificial intelligence dramatically minimizes

the time needed for that.

Emotional recognition: Everybody

knows what happened with the DSP

algorithms. Okay? So we can use artificial

intelligence to analyze videos,

which is awesome because our eyes, our

muscles in our eyes, don't have the

ability to lie. We can lie when we speak,

or we can try, but our eyes’ reactions

to a particular stimulus cannot be hidden

or cannot be modified. So this is unique.

From the data privacy and compliance standpoint, you

also have the ability to

automate the specific data you want to

include as part of your report. Okay? Now,

digital forensic data acquisition steps:

From my standpoint, after 41 years of experience,

preservation--we already talked about this.

Documentation: Preservation is integrity.

Okay? This is the most important

consideration, categorically speaking, in

any kind of digital forensic

investigation. You have to preserve the

data as it is. And remember, you never use

the original data for your forensic

analysis—-never. You always use a copy. And

to do copies, you have to use bit-by-bit

applications. Bit-by-bit—you cannot

copy bytes, or you cannot copy data

and forget about the information. So,

preservation is the most important thing.

Documentation: We already know that

everything needs to be documented, okay?

From the crime scene to the

last point. Chain of custody: One more

time, and I guess I’m going to

mention this one more time because chain

of custody means or opens the door for

you to present a case in the court of

law or to prove, in

your organization, that what you

are presenting is appropriate. You have

to plan how you are going to collect the

data. you have to plan with anticipation

the specific tools you are going to use

what methods are you going to consider

in your data collection process this is

relevant and you always have to consider

the coms coms is probably more important

than PR when you select or decided to

use a particular application for the

data acquisition you always want to

focus on the negative people usually

tends to talk about the positive oh I

like why the Shar because this and that

it's better that you focus on the

negative in Information Technology

everything has cross and comes no

exceptions exceptions do not exist there

is not one exception everything positive

have something negative in information

technology and this is what you want to

focus on it to avoid problems at the end

Okay so

how about the verification process you

have to verify before you work with the

real data that the tools and methods you

selected work okay you never want to

mess up with the original data needed

with a copy you want to test in a test

environment your tools your methods your

approach the steps you are going to

follow is very time consuming it is but

by the way it's also very well paid is

very well paid the only thing I can tell

you that it's very well paid you have no

idea if you become a cyber security

expert and specialize in digital

forensic this is where the money is and

trust me this is where the money is okay

I'm telling you first person duplication

we talk about that already the only way

to do that is by creating bit forbit

image there is no other ways okay this

is why you you want to use PR blocking

devices software and Hardware I

mentioned that before Tex rooms and

hatching different concepts that some

people are still confusing about it okay

there is a huge difference between the

two the main one is that Asing is a

oneway function you go from the left to

the right and usually you don't have the

ability to come back to replicate the

process of course if you have the

algorithms on hand then you can do

reverse engineering this is obvious but

this is not what happen in regular

conditions okay so check zoom and

hatching both minimize the possibility

that you mistake in your digital

forensic ER

analysis the other component is

acquisition okay so how are you going to

collect the data what particular tools

are you going to use you always have to

maintain a strict R only access to the

source if you have the ability to

manipulate the data in the source you

have the ability to tamper with actually

the most important consideration out of

the CIA which is integrity if the

opponent is the opposite part to you in

your organization the defendant in other

words have the ability to prove that

the the original data or source can be

manipulated in any way the conversation

is 100% over and the case will be

dismissed categorically speaking it's no

more conversation so this is a humongous

responsibility when it comes to data

acquisition what protocols you use what

the specific tools how do you plan it

how you document is a very painful

process in other words okay now data

recovery we already talk about the

complexity of finding a needle in a tone

of s this is super complex okay but it's

doable the only thing you have to use is

the appropriate tools and you you need

to have a specific plan because every

single case is 100% different digital

signatures sign the acquire data in

hatches with a dig digital signature for

authentication there are multiple cases

today in which H signatures are not

accepted anymore in the go government I

am a Federal Officer for the US

Department of Commerce in USA in the

government we are not allowed to sign

anything by hand for many years back

many years okay digital signatures have

a specific component that minimize

dramatically speaking the possibility of

replication and this is why this is

accepted in the court of law

verification R verifies the Integrity of

that Qui image by comparing hash values

with those calculated before the hash

values must be exact no difference not

even in one

0.001 percentage most much 100%

categorically speaking otherwise the

court is going to dismiss the case as

well or the organization probably is not

going to take the appropriate action vus

in a particular individual or problem or

process okay LS and no we already talk

about documentation at the beginning you

have to actually make sure that

everything is timestamped as I mentioned

before at the beginning digital forensic

must be collected in a particular order

analyzed in the similar Manner and

presented in the report in the specific

order in which the process was done

otherwise the process is going to be

disqualified and this is exclusively at

this point our own responsibility and

nobody else okay the storage we already

know that gain of custody is one of the

most important component there are

multiple forms depending of the state in

which you live and the countries as well

that you have to follow anything if you

miss a check mark or if you put a check

mark on those particular forms you are

basically dismissing you the case you

intentionally the court doesn't work in

the way many of us believe okay we have

the possibility to put somebody in the

electric share or to release to provide

to this particular individual or

organization what we said is relevant

okay this is very important the brift

you always have to be in Comm

communication with all parties both the

one presenting the digital process or

ruling the process and the other part as

well you cannot hide anything Zero from

your opponents in the court of law or

for the defendant part never in your

life this is why the first bullet in the

whole presentation was as you may

remember ethics okay in digital forensic

we provide what we known to the other

parties as well even to the defendant to

the opponents every single time no

exception and we provide every single

artifact with the most clear possible

explanation to the opponents this is how

the digital forensic process work

otherwise it will be dismissed as well

in the court steing you have to make

sure that every single piece of digital

evidence is

properly still then that you follow the

process by the book again if you Skip

One Step just one out of 100 or 200s

depending of the case the case is going

to be this measure no exceptions the Cod

goes by the book as you can imagine and

your opponent is going to be very

attentive to to the minimum possible

failure to dismiss the case okay so how

you transport the data from one place to

the other place chain of custody this is

the key component chain of custody data

encryption you have to make sure that

you prevent or actually Pro prevent a

Integrity manipulation and you always

want to meure the confidentiality of the

data CIA we already talked about the

component confidentiality Integrity

availability from the digital forensic

standpoint the most important no

exception is integrity and also the

confidentiality okay so from the

recovery image standpoint you always

want to have a duplicate for validation

and reanalysis and remember that you

always want to work with a copy of the

digital evidence 100% of the time no 9

you have to preserve the original

evidence this is part of our

responsibility and this is why we do bit

by bit analysis and bit by bit copy it's

complex okay now a specific step in

digital forensics to analyze the

collected data at this point you already

went through multiple process and spent

a lot of time how do you analyze the

data you have because you are going to

have probably terabytes of data okay

well you have to make sure that hashing

and TS digital signatures and the chain

of custody have been followed data

priorization what happens and what is

more relevant you cannot present in the

court two terabytes of data or 2,000

Pages this is Irrelevant for the case

okay you have to make sure that you use

keywords in order to provide a solid

report to the court for this particular

case for the keywords artificial

intelligence have been proven to me that

is of huge help file caring you have to

use a specialized tool to recover files

that may been deleted or you

intentionally hiting timeline analysis

we talk about you have to do everything

by following a particular sequence of

activities in other words you have to

present and do the analysis in

chronological order in the way that you

collect the data this is the exact way

you do the analysis and later you do

correlation okay but you have to follow

a particular chronological order data

recovery you have to do your best to

reconstruct the data that have been

deleted or probably damaged even by a

physical or electronic condition in the

storage media the metadata analysis is

also complex okay this is the next

component after the time the timeline

analysis metadata includes multiple kind

of data so this part of the analysis is

going to be complete colle and more time

consuming than the data collection and

the data collection is already very time

consuming content analysis you have to

be very careful because this is

basically what the forensic analysis is

going to be parent recognition how you

can match one bit of data with another

bit okay is there any association

between bits between bites between data

between words this is a iCal

component communication analysis again

you want to make sure that you include

everything emails today are probably the

most relevant component of digital

forening analysis you wants to make sure

that you master email analysis as well

data encryption you always have to keep

in mind the confidentiality and when we

are talking about the recovery or the

recovery image I mentioned that as well

similar to the chain of custody before

because you always have to pres the

digital the original data evidence

examination you want to make sure that

you verify the Integrity of the data you

have been acquiring including hash value

digital signature and the chain of

custodies we talk about this already

this is a repeat of the slide by the way

okay so database examination and you

foring a duplicate slide so this slide

is the same to this okay so my apology

for that it's my fault data database

examination investigate databases for

valueable valuable information including

structure data and locks entries Etc

media analysis this is a very complex

process because it's usually about atigo

or include testigo and this is about

image videos audios geolocation in

digital signatures Network traffic

analysis tools as why the Shar h but my

suggestion is that you use all the tools

that are part of the artificial

intelligence applications we can use

today and are available in the

market estigo is always complex okay

because stigo include not only image but

in many cases audio as well and this is

very complex time consuming you always

wants to make sure that you use the

appropriate estigo analysis techniques

and that are multiple specific for

volatile analysis as I mentioned before

there is multiple ways to do

data acquisition from RAM memory when we

turn off the computer all the data from

Ram doesn't goes off this is what

everybody said this is what Google said

this is what people that never do

forensic investigation repeat this is

not appropriate if you know how to do it

and again I make the presentation for e

councel in 2019 if you Google my name in

this presentation you will be able to

find a particular video in which I was

able to recover data from RAM memory

after the computer was took down took

down believe it or not go for the other

presentation that this is DC councel

database and you will be able to see the

video okay comparison you have to do

cross reference every single time to

make sure that the data you identify is

appropriate and you always identify

identity deviations and

inconsistency before you do the final

report I told you already when you

present the report in the court of law

and minimum mistake something minimum

will be disqualified in the case for

example in this presentation I include

IED by mistake this slide and this slide

if I do that in the in the court of flow

is

dismiss okay that's it it's no more

conversation the emotion analysis we

have talk about that we are talking

about persons digital evidence is always

related to people in process processes

applications Hardware software so we

want to make sure that what we present

is accurate and from the documentation

at some point it was the second point in

the presentation we have to document

everything reporting is about compiling

in a clear and comprehensive manner

including summaries methodologist and

supporting evidence you have to include

or at least in my case I always include

the recordings of everything I do

everything means even if I open my

personal email or if a notification come

to my computer and I open something in

my my in my WhatsApp for example this is

part of the recording as well okay so

you have to make sure that you provide

an expert testimony in order to do that

you have to be an expert in digital

currency Feer review consult with other

with your partners with the opponent

with the defendant part before you

present it's not that you are going to

modify to report because the defendant

doesn't like it this is not what I'm

telling you it's just that you are going

to provide the report and by the way you

must provide the report to the defendant

before you go to the Court by the time

you stand up in the court everything

needs to be done the other part need to

know exactly what you are going to

present this is how the legal systems

work okay with deceptions of very few

countries but in the world this is how

it work so the quality assurance is just

making sure that what you present is

appropriate the case management is how

you use the digital forensic and manage

system to track everything in analysis

process and from the data privacy

compliance I told you already every

single place every single City every

single state operate under different

conditions popular tool for digital

forensic few of those in Cas

autopsy Access Data everybody know how

is a forensic tool kit hway forensic

celebrity vola volatility wi sh

everybody most likely know oxygen

forensic detective and the digital

evidence and forensic tool kit so some

of those are included in Cali others do

not some are open source others are

extremely expensive for example in case

which is very very expensive some

relevant reference about digital

forensic I prefer to use keywords and

not particular reference or books

because I don't recommend any specific

book instead the combination of content

and knowledge and expertise but some

words or key words you can use if you

want to expand more in digital forensic

are digital forensic best practice

challenge iMobile digital forensic

Network forensic techniques Cloud

forensic investigations Internet of

Things forensic memory forensic analysis

because you want to stop repeating what

you have been learning for years when

you took down the computer with the

computer is turn it

off and there is a lot of data that

remains in r memory for a particular

amount of time of course okay so try to

expand on this topic malware analysis in

digital forensic and cyber security and

digital forensic Trends those are

keywords that will be facilitating your

expansion or you expanding on digital

forensic knowledge other

considerations are some particular

journals okay I in this case I'm going

to risk and recommend the digital

investigation that is published by xier

is one of the top in the world the other

one is the Journal of digital forensic

security and law and forensic science

International digital investigation

report I'm open to any question you may

have and one more time I want before I

close my lips I want to sincerely thank

you EC Council for another opportunity

to talk about this fascinating topic

thank you very much for all the staff in

the e Council that work tily who made

this presentation a possibility and

thank you so much as well for you guys

attending the conf the conference and

for the questions that you may

ask thank you very much Dr Lewis for

such an insightful and informative

session that was really a very

interesting webinar and we hope it was

worth your time too now now before we

begin with the Q&amp;A I would like to

inform all the attendees that EC

council's CH maps to the forensic

investigator and the consultant digital

forensics anyone with the chfi

certification is eligible for 4,000 plus

job vacancies globally with an average

salary of

$95,000 if you're interested to learn

more andly take part in the poll that's

going to be conducted now let us know

your preferred mode of training and we

will reach out to you

soon

uh Dr L shall we start with the

Q&amp;A yes I'm ready

for okay our first question is how to

prove in court of law that the collected

evidence is from the same object and not

collected from any other

object this is a very important question

I really appreciate the clarification on

this topic as I said we have to be very

careful about the way we collect the

data when we are talking about objects

objects are associated to bits not to

bikes only but Bits And as I mention

multiple times when we do the copy of

the original data we want to make sure

that we always do bit by bit when you do

bit by bit and not B by B because a bit

implies up to 3.4 volts in electricity

we are eliminating the possibility of

mistake objects are bigger a bit do not

constitute an object objects are formed

by multiple bits this is why we have to

do the analysis bit by bit and I

mentioned that multiple

times thank you for answering that

question our next question is what kind

of forensic data can we obtain from the

encrypted data where the key is not

available to decrypt the

data could you please repeat the

question what kind of forensic data can

be obtained from the encrypted data

where the key is not available to

decrypt the

data you encryp

data uh I'll just P the question to you

on chat uh Dr

Ls I'm not watching the chat right now

something happened

I'm not watching the

shat sorry H long hello hello hello can

you hear

me yes I can hear you yes I have posted

the question on the chat Dr leis okay

okay please yes I have already pasted

okay let me check

here

okay give me a second okay what kind of

forensic data can be obtained from

encrypted data oh okay okay well this is

another misperception okay everybody

knows that when the data is encrypted we

cannot open the data or the particular

file document video any kind of Digital

forening Data let me tell you something

there are multiple forensic tools that

have the ability to decrypt the data

even when we don't have the key this and

I understand the key component and I

understand that the two type of

encryptions symmetric and asymmetric and

as I said I have multiple Publications

about

encryption ER but there is most likely

always the possibility to encrypt data

without having the encryption key I

understand that it doesn't sounds

popular it's not what we hear every

single time but when we spend specialize

on digital forensic we have usually the

tools we need to decrypt the data

especially if you are using artificial

intelligence also in the government at

least in the US government in my

operation in the operation I direct I

handle I supervise we are using

artificial intelligence for multiple

things in cyber security since

2017 and we are also using Quantum

Computing Quantum Computing is not not

coming quantum computer is in use in the

US government for years now so we are

using Quantum Computing for years there

are multiple ways to decrypt the data

when the encryption key is not available

multiple ways multiple applications as

well that help with the process it's

very time consuming but there is a

possibility for that and this is a great

question because the question is okay

how about the hard drive is encrypted

there is nothing that I can do right no

this is not like that there is always

ways to decrypt the data always it

doesn't matter how strong the encryption

is but you need to have the appropriate

tools of place for example I'm going to

mention just one in case when I present

this some tools that I suggest before I

said that in case is very expensive in

case do magic between quotation man in

case do multiple things that we don't

learn in the school

okay so I can see the other question

here how to adapt to investigation in

the cloud since the clouds provided do

not allow most of important operation to

access media when you have to do a case

or conduct digital forensic in the cloud

the cloud providers 99% of the time I

don't want to say 100 because I don't

want to risk on that but usually the

cloud providers include in the SLA in

the service level agreement what is

going to happen if a digital forensic or

any kind of Investigation needs to do

needs to be performed in the cloud space

so most likely the cloud operator is

going to facilitate access to everything

you need sometime you have to move and

go physically to the place in which the

data is

host don't believe that the cloud

provider doesn't know where the data is

host we know where the data is host

specifically I have been in San Diego

California and another States in Hawaii

back in

2019 as well doing forensic

investigation in a cloud environment it

was actually for something government

related and I was given the permission I

need to do any kind of Investigation so

Cloud providers facilitate forensic

analysis because forensic analysis are

usually related to legal cases there are

multiple cases in which in USA we don't

have access to this data and I'm going

to mention an example Tik Tok Tik Tok

the problem between the US government

and Tik Tok is that when Tik Tok get the

authorization to operate in USA the

government was one step behind behind

Okay and we don't regulate Tik Tok at

this point Tik Tok has the ability to

prevent forensic investigation in the

Tik Tok platforms for the US government

cour system or legal system okay but

again usually Cloud providers facilitate

investigation in the cloud 100% they

cooperate in every single manage they

have to facilitate the forensic

investigation thank you for answering

that question uh we'll take last

question for the day uh what is the best

open source free tools for social media

forensics there is no best open source

tool that is a combination of tools

number one digital forensic cannot be

performed categorically speaking with

one or two tools this is a complex time

consuming and expensive process I made

some suggestions it's included in the

slide ER let me see a slide

slide

number

16 okay this is the slide in which I

include in case autopsy the S some of

them are upper cases as I I'm sorry open

source as I mentioned before but there

is not a particular tool or two or three

tools that I will recommend because in

top of that every single forensic

investigation is about the different

process you cannot use the similar tools

this is why there are very at least in

USA very small amount of organizations

companies that specialize in digital

forensic as my company does the reason

why is because between many other things

lack of expertise and

expenses okay so I do not recommend a

particular tool instead the combination

of tools there are multiple open source

I mention a few in a slide number 16 of

my PowerPoint presentation but again

those are not sufficient those are the

most popular and

strong ER more accurate uh tools that

you can use for digital forensic but a

particular tool one or two to do

forensic investigation it doesn't exist

is impossible

doesn't thank you again to our wonderful

speaker Dr Lewis for answering those

questions and for the great presentation

and knowledge shared with our Global

audiences it was a pleasure to have you

with us and we are looking for more and

more sessions with you before we

conclude the webinar Dr LS would you

like to give a small message to our

audiences

please well no just want to thanks

everybody again the one that work

tiously behind the presentation to you

in e Council as always thank you very

much for the support for all the

attendees I hope you learn something new

let me clarify that every single content

wording words Etc that I have been

presenting for you is my original

creation 100% not

99.99 but 100% categorically speaking

and I put together those notes and

reflection for you guys with the hope

that you can come back to your

organization and ser better that you can

become a public servant

ER and go to the court and testify in

favor of the park that deserve your

benefits and I sincerely thank you for

the opportunity to share my expertise

with you guys have a nice weekend okay

thank you very much for the time in

question thank you so

much thank you so much Dr Louis for your

message before we end the session I

would like to announce the next cyber

talk session why are strong foundational

cyber securities skills essential for

every IT professional which is scheduled

on November 8 2023 this session is an

export presentation by Roger Smith

director car Managed IT industry fellow

at Australian Defense Force Academy to

register for this session please do go

visit our website

www.ccu.edu cybert talks the link is

given in the chat section hope to see

you all on November 8th with this VN the

session with this you may disconnect

your lines thank you thank you so much

Dr leis pleasure having you

likewise thank you very much for the

opportunity thank you have a good day