WEBVTT 00:00:00.080 --> 00:00:02.199 Hello, everyone, and welcome to today's 00:00:02.199 --> 00:00:05.720 session on digital forensics: best practices 00:00:05.720 --> 00:00:08.519 from data acquisition to analysis. I'm 00:00:08.519 --> 00:00:10.519 Shilpa Goswami, and I'll be your host 00:00:10.519 --> 00:00:13.440 for the day. Before we get 00:00:13.440 --> 00:00:16.000 started, we would like to go over a few 00:00:16.000 --> 00:00:18.039 house rules for our attendees. The 00:00:18.039 --> 00:00:20.439 session will be in listen-only mode and 00:00:20.439 --> 00:00:23.439 will last for an hour, of which the 00:00:23.439 --> 00:00:26.160 last 15 minutes will be dedicated to Q&A. 00:00:26.160 --> 00:00:28.039 If you have any questions during the 00:00:28.039 --> 00:00:30.519 webinar, for our organizers or 00:00:30.519 --> 00:00:34.200 speakers, please use the Q&A window. Also, if you 00:00:34.200 --> 00:00:36.440 face any audio or video challenges, please 00:00:36.440 --> 00:00:38.000 check your internet connection or you 00:00:38.000 --> 00:00:40.879 may log out and log in again. An 00:00:40.879 --> 00:00:43.640 important announcement for our audience: 00:00:43.640 --> 00:00:46.039 we have initiated CPE credit 00:00:46.039 --> 00:00:48.600 certificates for our participants. To 00:00:48.600 --> 00:00:51.480 qualify for one, attendees are required 00:00:51.480 --> 00:00:54.440 to attend the entire webinar and then 00:00:54.440 --> 00:00:59.110 send an email to cyber talks at eccouncil.org, 00:00:59.110 --> 00:01:00.879 after which our team will 00:01:00.879 --> 00:01:04.159 issue the CPE certificate. Also, we would 00:01:04.159 --> 00:01:06.320 like to inform our audience about the 00:01:06.320 --> 00:01:08.759 special handouts. Take a screenshot of 00:01:08.759 --> 00:01:11.400 the running webinar and post it on your 00:01:11.400 --> 00:01:14.640 social media, LinkedIn or Twitter, tagging 00:01:14.640 --> 00:01:18.439 EC Council and Cyber Talks. We will 00:01:18.439 --> 00:01:21.159 share free handouts with the first 15 00:01:21.159 --> 00:01:23.880 attendees. As a commitment to closing the 00:01:23.880 --> 00:01:26.880 cybersecurity workforce gap by creating 00:01:26.880 --> 00:01:30.360 multi-domain cyber technicians, EC Council 00:01:30.360 --> 00:01:34.720 pledges $3,500,000 towards ECT 00:01:34.720 --> 00:01:37.079 Education and Certification Scholarships 00:01:37.079 --> 00:01:40.159 to certify approximately 10,000 cyber 00:01:40.159 --> 00:01:42.880 professionals ready to contribute to the 00:01:42.880 --> 00:01:44.840 industry. Did you know that you can be 00:01:44.840 --> 00:01:46.439 part of the lucrative cybersecurity 00:01:46.439 --> 00:01:49.640 industry? Even top companies like Google, 00:01:49.640 --> 00:01:53.920 Microsoft, Amazon, IBM, Facebook, and Dell 00:01:53.920 --> 00:01:56.240 all hire cybersecurity professionals. 00:01:56.240 --> 00:01:58.520 The cybersecurity industry has a 0% 00:01:58.520 --> 00:02:00.439 unemployment rate. The average salary 00:02:00.439 --> 00:02:02.320 for an entry-level cybersecurity job is 00:02:02.320 --> 00:02:05.240 about $100,000 per year in the United 00:02:05.240 --> 00:02:07.280 States. Furthermore, you don't need to 00:02:07.280 --> 00:02:09.679 know coding, and you can learn from home, and 00:02:09.679 --> 00:02:11.280 you get a scholarship to kick-start your 00:02:11.280 --> 00:02:14.920 career. Apply now. EC Council is pledging 00:02:14.920 --> 00:02:19.469 a $3,500,000 CCT scholarship for cybersecurity 00:02:19.469 --> 00:02:20.920 career starters. Scan the QR 00:02:20.920 --> 00:02:22.319 code on the screen to apply for the 00:02:22.319 --> 00:02:25.121 scholarship. Fill out the form. 00:02:31.519 --> 00:02:33.800 Now, about our 00:02:33.800 --> 00:02:38.040 speaker Dr. Luis. Dr. Luis Noguerol is the 00:02:38.040 --> 00:02:40.360 Information Systems Security Officer for 00:02:40.360 --> 00:02:43.599 the U.S. Department of Commerce, NOAA, 00:02:43.599 --> 00:02:45.440 where he oversees the cybersecurity 00:02:45.440 --> 00:02:47.080 operation for six states in the 00:02:47.080 --> 00:02:49.920 Southeast Region. Dr. Luis is also the 00:02:49.920 --> 00:02:51.920 President and CEO of the Advanced 00:02:51.920 --> 00:02:54.440 Division of Informatics and Technology, 00:02:54.440 --> 00:02:57.920 Technology INC, a company that focuses on 00:02:57.920 --> 00:03:01.040 data recovery, digital forensics, and 00:03:01.040 --> 00:03:03.480 penetration testing. He is a world-renowned 00:03:03.480 --> 00:03:05.519 expert in data recovery, digital 00:03:05.519 --> 00:03:08.239 forensics, and penetration testing. He 00:03:08.239 --> 00:03:10.879 holds multiple globally recognized 00:03:10.879 --> 00:03:13.420 information technology and cybersecurity 00:03:13.420 --> 00:03:15.080 certifications and accreditations 00:03:15.080 --> 00:03:17.120 and is the recipient of multiple awards 00:03:17.120 --> 00:03:19.480 in technology, cybersecurity, and 00:03:19.480 --> 00:03:22.640 mathematics. He currently serves pro bono as 00:03:22.640 --> 00:03:25.040 an editorial board member and reviewer for the 00:03:25.040 --> 00:03:27.239 American Journal of Information Science 00:03:27.239 --> 00:03:29.760 and Technology, and is a member of the 00:03:29.760 --> 00:03:31.920 prestigious high-edging professor program for 00:03:31.920 --> 00:03:34.159 undergraduate and graduate programs at 00:03:34.159 --> 00:03:36.720 multiple universities in the U.S. and as a 00:03:36.720 --> 00:03:38.920 reviewer for the doctoral program at the 00:03:38.920 --> 00:03:42.239 University of Karachi in Pakistan. He is 00:03:42.239 --> 00:03:44.400 the author of multiple cybersecurity 00:03:44.400 --> 00:03:47.589 publications and articles, including Cybersecurity 00:03:47.589 --> 00:03:49.519 Issues in Blockchain: Challenges and 00:03:49.519 --> 00:03:52.200 Possible Solutions. He is also one of 00:03:52.200 --> 00:03:54.200 the co-authors and reviewers of the 00:03:54.200 --> 00:03:56.840 worldwide acclaimed book, Intrusion 00:03:56.840 --> 00:03:58.680 Detection Guide. 00:03:58.680 --> 00:04:01.280 Prior to obtaining his doctorate 00:04:01.280 --> 00:04:02.799 degree in Information Systems and 00:04:02.799 --> 00:04:04.640 Technologies from the University of 00:04:04.640 --> 00:04:08.040 Phoenix, Dr. Luis earned a Bachelor's in 00:04:08.040 --> 00:04:11.599 Science and Radio Technical and 00:04:11.599 --> 00:04:14.159 Electronic Engineering, a 00:04:14.159 --> 00:04:15.439 Bachelor of Science in 00:04:15.439 --> 00:04:17.680 Telecommunications and Networking, and a 00:04:17.680 --> 00:04:19.519 Master of Science in Mathematics and 00:04:19.519 --> 00:04:20.600 Computer Science. 00:04:20.600 --> 00:04:22.840 Without any further delay, I will 00:04:22.840 --> 00:04:25.759 hand over the session to you, Dr. Luis. 00:04:25.759 --> 00:04:29.030 Thank you very much. Thanks. Okay. 00:04:29.840 --> 00:04:32.960 Good morning, everybody. Good afternoon, and 00:04:32.960 --> 00:04:35.440 good night, depending on the specific 00:04:35.440 --> 00:04:38.440 area in which you reside. We are going to 00:04:38.440 --> 00:04:40.479 have an interesting conversation today 00:04:40.479 --> 00:04:42.479 about digital forensic best practices 00:04:42.479 --> 00:04:44.479 from data acquisition to analysis. This 00:04:44.479 --> 00:04:47.280 is the title of the presentation or 00:04:47.280 --> 00:04:50.720 subject, and I’m more than happy to be 00:04:50.720 --> 00:04:52.680 here with you all and share some of 00:04:52.680 --> 00:04:57.759 my expertise. So, let's go ahead and start the conference, 00:04:57.759 --> 00:05:00.720 okay? She already mentioned 00:05:00.720 --> 00:05:02.520 some of my credentials. 00:05:02.520 --> 00:05:05.790 I have been working in cybersecurity 00:05:05.790 --> 00:05:08.759 at this point for over 41 years. NOTE Paragraph 00:05:08.759 --> 00:05:11.600 This is in my DNA, a topic that I didn’t 00:05:11.600 --> 00:05:14.280 like and respect as much as I cannot 00:05:14.280 --> 00:05:17.280 talk about any other topic in my life. 00:05:17.280 --> 00:05:20.840 Before we go, I have here a statement that 00:05:20.840 --> 00:05:23.680 I put together for you, okay? Digital 00:05:23.680 --> 00:05:26.440 forensic best practices. Well, 00:05:26.440 --> 00:05:28.720 consideration number one: just to break 00:05:28.720 --> 00:05:31.360 the ice in the labyrinth of 00:05:31.360 --> 00:05:35.479 cyberspace, where shadows dance through encased 00:05:35.479 --> 00:05:38.360 passages and data whispers its secrets, the 00:05:38.360 --> 00:05:41.600 digital detective emerges. This is us, the 00:05:41.600 --> 00:05:44.479 digital forensic experts. Clad in lines of 00:05:44.479 --> 00:05:47.880 code and armed with algorithms, we seek 00:05:47.880 --> 00:05:51.919 the hidden treasures of truth and 00:05:51.919 --> 00:05:55.080 solving enigmatic cybercrimes. With a visual 00:05:55.080 --> 00:05:58.080 magnifying glass, this is what we do: we 00:05:58.080 --> 00:06:01.120 dissect the digital tapestry, 00:06:01.120 --> 00:06:03.800 unveiling the footprints of elusive 00:06:03.800 --> 00:06:07.960 cyber cultures. This is what cyber forensics, or 00:06:07.960 --> 00:06:11.400 digital forensics, is about. Each keystroke and 00:06:11.400 --> 00:06:14.039 pixel holds a clue, something that we can 00:06:14.039 --> 00:06:18.360 use in our favor. And in this mesmerizing 00:06:18.360 --> 00:06:23.080 world of the digital era, ones and zeros, 00:06:23.080 --> 00:06:25.919 the art of digital forensics is about 00:06:25.919 --> 00:06:28.960 finding the secret of the digital reality. Digital 00:06:28.960 --> 00:06:33.599 forensics is about finding evidence 00:06:33.599 --> 00:06:36.360 that can lead to a particular process. It 00:06:36.360 --> 00:06:38.639 can be a legal process, or it can be any 00:06:38.639 --> 00:06:41.120 other kind of process. But what is 00:06:41.120 --> 00:06:44.199 digital forensics from my point of view? 00:06:44.199 --> 00:06:47.120 Well, I mentioned earlier that I've 00:06:47.120 --> 00:06:50.039 been working in cybersecurity for 41 years. 00:06:50.039 --> 00:06:52.720 My specialties are in penetration 00:06:52.720 --> 00:06:55.120 testing, data recovery, and digital forensics. 00:06:55.120 --> 00:06:57.039 I’ve been working for the 00:06:57.039 --> 00:06:59.400 police department in multiple places 00:06:59.400 --> 00:07:02.879 doing digital forensics for them. So I try to 00:07:02.879 --> 00:07:06.080 put together an easy definition for you from my 00:07:06.080 --> 00:07:08.360 standpoint about what digital forensics 00:07:08.360 --> 00:07:11.720 is. Digital forensics investigates digital 00:07:11.720 --> 00:07:15.000 devices and electronic data to use as 00:07:15.000 --> 00:07:17.639 evidence. Please note that I don’t say 00:07:17.639 --> 00:07:20.919 electronic information; I use the word "data" 00:07:20.919 --> 00:07:24.199 intentionally to understand digital events 00:07:24.199 --> 00:07:27.759 and trace illicit activities. This is a key 00:07:27.759 --> 00:07:30.759 component of digital forensics. Normally 00:07:30.759 --> 00:07:33.879 speaking, digital forensics happens, of 00:07:33.879 --> 00:07:37.160 course, after the facts, and the idea of 00:07:37.160 --> 00:07:40.759 digital forensics is identifying traces, 00:07:40.759 --> 00:07:43.639 okay, that lead to particular data that 00:07:43.639 --> 00:07:45.840 we can gather together and make a 00:07:45.840 --> 00:07:49.039 conclusion. It involves the systematic 00:07:49.039 --> 00:07:51.759 collection, preservation, analysis, and 00:07:51.759 --> 00:07:54.360 presentation of digital evidence in 00:07:54.360 --> 00:07:56.520 legal proceedings. This is key 00:07:56.520 --> 00:07:59.440 today because we are technology-dependent, 00:07:59.440 --> 00:08:02.000 and there are multiple states, 00:08:02.000 --> 00:08:05.199 at least in the USA and some other countries, 00:08:05.199 --> 00:08:07.440 where digital forensics is still in 00:08:07.440 --> 00:08:10.280 limbo because it's not accepted in the 00:08:10.280 --> 00:08:13.199 court of law. Okay. So, this is very 00:08:13.199 --> 00:08:16.159 important to keep in mind. What are we 00:08:16.159 --> 00:08:18.360 going to do from the digital forensics 00:08:18.360 --> 00:08:20.800 standpoint, the data collection process, 00:08:20.800 --> 00:08:23.319 and the analysis? Digital forensics 00:08:23.319 --> 00:08:25.639 experts use specialized techniques and 00:08:25.639 --> 00:08:29.280 tools to extract data from computers, 00:08:29.280 --> 00:08:32.399 smartphones, networks, and digital storage 00:08:32.399 --> 00:08:34.958 media to support investigations and 00:08:34.958 --> 00:08:37.559 resolve legal matters. So this is 00:08:37.559 --> 00:08:40.559 basically what digital forensics is 00:08:40.559 --> 00:08:42.839 about. Let's go ahead and start with the 00:08:42.839 --> 00:08:45.720 technical part, which is the topic I like 00:08:45.720 --> 00:08:49.440 most. Okay, let's talk about those 00:08:49.440 --> 00:08:51.519 30 best practices that I’ve put 00:08:51.519 --> 00:08:53.680 together for you. At the end of the 00:08:53.680 --> 00:08:55.200 presentation, you will have the 00:08:55.200 --> 00:08:57.839 opportunity to ask as many questions as 00:08:57.839 --> 00:09:01.079 you like. 1. You have to 00:09:01.079 --> 00:09:03.760 follow the legal and ethical standards: 00:09:03.760 --> 00:09:06.360 For this particular first point, I am not 00:09:06.360 --> 00:09:08.680 going to make any comment. I believe that 00:09:08.680 --> 00:09:12.279 ethics is a key component 00:09:12.279 --> 00:09:14.959 of cybersecurity. We always 00:09:14.959 --> 00:09:18.360 have to follow the rules. We must always 00:09:18.360 --> 00:09:21.120 follow the legal procedures in the 00:09:21.120 --> 00:09:24.079 places in which we operate because every 00:09:24.079 --> 00:09:26.640 single place is a different component. 00:09:26.640 --> 00:09:30.640 2. Understand the original evidence: 00:09:30.640 --> 00:09:33.240 This is key. Okay. You always have to 00:09:33.240 --> 00:09:35.480 maintain the integrity of the original 00:09:35.480 --> 00:09:38.320 evidence to ensure it is admissible in 00:09:38.320 --> 00:09:42.279 court. Any kind of manipulation 00:09:42.279 --> 00:09:46.240 or modification will result in 00:09:46.240 --> 00:09:48.880 disqualification from the court system. 00:09:48.880 --> 00:09:50.920 Document everything: This is something 00:09:50.920 --> 00:09:52.839 that technical people like me don’t 00:09:52.839 --> 00:09:56.240 like too much, but when it comes to 00:09:56.240 --> 00:09:58.880 digital forensics, we have to document 00:09:58.880 --> 00:10:01.240 every single step we take. We have to 00:10:01.240 --> 00:10:04.360 record all the steps we 00:10:04.360 --> 00:10:07.360 follow, and we want to make sure that 00:10:07.360 --> 00:10:09.760 everything is documented and recorded in 00:10:09.760 --> 00:10:13.120 a specific chronological order. This is 00:10:13.120 --> 00:10:16.160 a key component for digital 00:10:16.160 --> 00:10:19.079 forensics or investigations to be accepted 00:10:19.079 --> 00:10:22.760 in the court of law. Secure the scene: 00:10:22.760 --> 00:10:25.600 It’s not just physical 00:10:25.600 --> 00:10:27.880 crime scenes that need to be secured to prevent 00:10:27.880 --> 00:10:29.920 contamination or tampering. 00:10:29.920 --> 00:10:33.399 If you present anything in court and 00:10:33.399 --> 00:10:35.279 the opposing party 00:10:35.279 --> 00:10:38.040 has the ability to prove that 00:10:38.040 --> 00:10:40.440 something was not preserved, the 00:10:40.440 --> 00:10:43.440 conversation is over. Chain of custody: 00:10:43.440 --> 00:10:45.279 I’m going to repeat this more than 00:10:45.279 --> 00:10:48.399 once during the presentation. Sorry. 00:10:48.399 --> 00:10:51.600 Chain of custody refers to how you 00:10:51.600 --> 00:10:53.160 establish and maintain 00:10:53.160 --> 00:10:56.240 the evidence and the process 00:10:56.240 --> 00:10:58.839 that facilitates how the 00:10:58.839 --> 00:11:02.000 tracking process is handled. Use-Write- 00:11:02.000 --> 00:11:04.040 Blocking Tools: This is another key 00:11:04.040 --> 00:11:07.480 component of digital forensics. It means 00:11:07.480 --> 00:11:10.120 that you have to use the appropriate 00:11:10.120 --> 00:11:12.399 hardware and software that allow for 00:11:12.399 --> 00:11:14.360 write blockers when you are collecting 00:11:14.360 --> 00:11:17.800 data to prevent alteration. There are a 00:11:17.800 --> 00:11:20.240 set of tools you can use, and at the end 00:11:20.240 --> 00:11:22.440 of the presentation, I’m going to provide 00:11:22.440 --> 00:11:25.880 you with a specific set 00:11:25.880 --> 00:11:29.990 of tools you can use as write-blocking 00:11:29.990 --> 00:11:32.560 tools. Verify hashing or hash 00:11:32.560 --> 00:11:35.920 values. This is how you calculate and compare 00:11:35.920 --> 00:11:38.880 hash values to verify the data's integrity. 00:11:38.880 --> 00:11:41.480 There is often confusion about integrity, 00:11:41.480 --> 00:11:44.240 confidentiality, and availability. In 00:11:44.240 --> 00:11:46.519 digital forensics, the most important 00:11:46.519 --> 00:11:49.639 component is integrity. It means that we 00:11:49.639 --> 00:11:52.560 must make every effort to 00:11:52.560 --> 00:11:55.040 ensure that the data is not modified in 00:11:55.040 --> 00:11:58.079 any possible way, from the time we 00:11:58.079 --> 00:11:59.560 arrive at the scene 00:11:59.560 --> 00:12:02.440 to the time we present the evidence 00:12:02.440 --> 00:12:05.560 in court and even after that as well. So 00:12:05.560 --> 00:12:08.839 other component is Collect volatile data 00:12:08.839 --> 00:12:12.600 first. Okay, this obviously makes perfect 00:12:12.600 --> 00:12:15.800 sense. You have to prioritize this 00:12:15.800 --> 00:12:18.399 type of data collection as it can be 00:12:18.399 --> 00:12:20.480 lost or modified when the system is 00:12:20.480 --> 00:12:23.279 powered down. For many of you, what I’m 00:12:23.279 --> 00:12:25.120 going to tell you may 00:12:25.120 --> 00:12:28.399 sound not appropriate, and this is the 00:12:28.399 --> 00:12:30.240 following assessment: 00:12:30.240 --> 00:12:34.320 we've been told from the time we 00:12:34.320 --> 00:12:36.880 arrived at school and even at work 00:12:36.880 --> 00:12:45.360 that information or data in random access memory (RAM) disappears when the 00:12:45.360 --> 00:12:50.840 computer is shut down. Back in 2019, 00:12:50.840 --> 00:12:53.040 I made a presentation similar to 00:12:53.040 --> 00:12:55.199 this one for this account, in 00:12:55.199 --> 00:12:58.279 which I proved that the data in RAM 00:12:58.279 --> 00:13:01.320 can be recovered. Okay. So, what we have been 00:13:01.320 --> 00:13:03.920 learning in multiple places, and what you can 00:13:03.920 --> 00:13:06.959 easily find on Google, that data in RAM 00:13:06.959 --> 00:13:09.120 is lost when 00:13:09.120 --> 00:13:11.600 computers are powered down, is not 00:13:11.600 --> 00:13:14.880 exactly correct. The other component is 00:13:14.880 --> 00:13:17.360 Forensic image. You have to create a 00:13:17.360 --> 00:13:19.920 forensic image of storage devices to 00:13:19.920 --> 00:13:22.560 work with copies. You must always 00:13:22.560 --> 00:13:25.440 present the original evidence. This is a 00:13:25.440 --> 00:13:30.040 requirement in the court of law. You must 00:13:30.040 --> 00:13:32.880 present the original evidence every single 00:13:32.880 --> 00:13:35.320 time. The other component is the Data 00:13:35.320 --> 00:13:38.600 recovery. Data recovery is closely 00:13:38.600 --> 00:13:41.639 associated with digital forensics for 00:13:41.639 --> 00:13:43.800 obvious reasons. Okay. You have to 00:13:43.800 --> 00:13:46.639 employ specialized tools to recover 00:13:46.639 --> 00:13:51.399 deleted or hidden data. This is also 00:13:51.399 --> 00:13:53.800 something to keep in mind. At the end, 00:13:53.800 --> 00:13:56.199 I'm going to provide some specific 00:13:56.199 --> 00:13:58.440 applications you can use to do data 00:13:58.440 --> 00:13:59.580 recovery. 00:14:00.040 --> 00:14:02.959 Timeline analysis: You must construct 00:14:02.959 --> 00:14:06.160 and analyze timelines to understand the 00:14:06.160 --> 00:14:09.399 sequence of events. What happened first? The 00:14:09.399 --> 00:14:12.560 chronological order is a mandatory 00:14:12.560 --> 00:14:14.720 requirement in the court of law. You 00:14:14.720 --> 00:14:17.000 cannot present evidence in court 00:14:17.000 --> 00:14:19.639 in a random manner. You have to 00:14:19.639 --> 00:14:22.440 follow the specific chronological order. 00:14:22.440 --> 00:14:25.240 The other consideration is Preserving 00:14:25.240 --> 00:14:28.079 the metadata. Ensure metadata integrity 00:14:28.079 --> 00:14:30.680 to verify results, timing, and 00:14:30.680 --> 00:14:33.759 authenticity of the digital artifacts you 00:14:33.759 --> 00:14:36.480 are going to present in the court of law. 00:14:36.480 --> 00:14:39.839 Use known good reference data: This 00:14:39.839 --> 00:14:42.240 means you have to compare the 00:14:42.240 --> 00:14:44.759 collected data with known 00:14:44.759 --> 00:14:46.800 good reference data to identify 00:14:46.800 --> 00:14:50.600 anomalies, specific patterns, and 00:14:50.600 --> 00:14:53.839 statistical processes. Many times, you have 00:14:53.839 --> 00:14:57.079 to do this as well. Antiforensic 00:14:57.079 --> 00:14:59.800 awareness: You have to be aware of the 00:14:59.800 --> 00:15:03.079 antiforensic techniques in use. 00:15:03.079 --> 00:15:05.920 There are multiple applications 00:15:05.920 --> 00:15:09.360 that work against digital forensics. So, 00:15:09.360 --> 00:15:11.959 you must be aware of that. Before 00:15:11.959 --> 00:15:14.959 you start digital forensics analysis, 00:15:14.959 --> 00:15:21.519 while working on the data collection 00:15:21.519 --> 00:15:24.040 process, you want to make sure you 00:15:24.040 --> 00:15:27.199 don't have any anti-forensic 00:15:27.199 --> 00:15:30.000 tools or applications installed on the 00:15:30.000 --> 00:15:33.079 particular host or hosts in which you are 00:15:33.079 --> 00:15:35.560 going to conduct the investigation. Another 00:15:35.560 --> 00:15:38.830 very important component is Cross-validation. 00:15:38.830 --> 00:15:41.399 This is what brings actual 00:15:41.399 --> 00:15:45.079 reputation and respect to the data you 00:15:45.079 --> 00:15:48.639 are presenting in the court of law. Okay? 00:15:48.639 --> 00:15:51.160 So the standard operating procedures are a 00:15:51.160 --> 00:15:54.520 very important component that is oftentimes 00:15:54.520 --> 00:15:56.279 overlooked, and it's about 00:15:56.279 --> 00:15:59.279 developing and following SOPs that 00:15:59.279 --> 00:16:02.399 maintain consistency. This is 00:16:02.399 --> 00:16:04.959 why documentation is key, and it was 00:16:04.959 --> 00:16:07.560 presented in slide number one. Training 00:16:07.560 --> 00:16:10.800 and certification are also important components, and 00:16:10.800 --> 00:16:12.639 this is relevant. The reason why it's 00:16:12.639 --> 00:16:15.279 relevant is that I understand you can learn 00:16:15.279 --> 00:16:18.639 many things by yourself. This is becoming 00:16:18.639 --> 00:16:21.759 more popular as we become more 00:16:21.759 --> 00:16:24.680 technology-dependent. This is normal 00:16:24.680 --> 00:16:27.639 and expected, but certifications still 00:16:27.639 --> 00:16:30.800 hold particular value. There are 00:16:30.800 --> 00:16:33.279 multiple questions in certification 00:16:33.279 --> 00:16:37.539 exams, in general terms, not only in EC-Council 00:16:37.539 --> 00:16:39.839 certifications or others, in which, 00:16:39.839 --> 00:16:42.240 most likely, if you don't go through the 00:16:42.240 --> 00:16:44.720 certification process, you will never 00:16:44.720 --> 00:16:47.319 find out. And this is what 00:16:47.319 --> 00:16:49.759 some people say: "Well, this is 00:16:49.759 --> 00:16:52.800 theoretical information." Digital forensics 00:16:52.800 --> 00:16:55.759 involves a lot of theoretical information-- 00:16:55.759 --> 00:16:58.040 A LOT. Remember that we are doing the 00:16:58.040 --> 00:17:01.199 analysis at a low 00:17:01.199 --> 00:17:04.839 level, from the technical standpoint. So 00:17:04.839 --> 00:17:07.319 theory is extremely important and 00:17:07.319 --> 00:17:10.599 relevant when we do forensic 00:17:10.599 --> 00:17:13.400 investigations--digital forensics. The same 00:17:13.400 --> 00:17:15.599 happens with medical doctors. When 00:17:15.599 --> 00:17:18.119 medical doctors do a forensic 00:17:18.119 --> 00:17:20.480 analysis of a body of someone who 00:17:20.480 --> 00:17:23.480 passed away, they also employ a lot of 00:17:23.480 --> 00:17:25.400 theoretical knowledge they have been 00:17:25.400 --> 00:17:27.959 accumulating. Digital forensics is no 00:17:27.959 --> 00:17:28.877 different. 00:17:29.120 --> 00:17:32.400 The other consideration is expert 00:17:32.400 --> 00:17:35.120 testimony. Okay? I, for example, live 00:17:35.120 --> 00:17:38.720 in Miami, Florida, in the USA, and I am one of the 00:17:38.720 --> 00:17:43.080 11 experts certified by the legal system 00:17:43.080 --> 00:17:47.799 in the 11 districts. This means that when you 00:17:47.799 --> 00:17:49.880 go to court, you have to be 00:17:49.880 --> 00:17:53.360 classified as an expert in order to 00:17:53.360 --> 00:17:57.600 provide comments and evidence. Otherwise, you will 00:17:57.600 --> 00:18:03.242 probably not be able to speak in court, 00:18:03.242 --> 00:18:04.400 as what we say 00:18:04.400 --> 00:18:07.039 in court is relevant for the case. 00:18:07.039 --> 00:18:10.039 And with our wording or statement, 00:18:10.039 --> 00:18:12.720 along with the evidence we provide, we have 00:18:12.720 --> 00:18:15.799 the ability to put somebody in jail or 00:18:15.799 --> 00:18:18.919 release this person from jail. 00:18:18.919 --> 00:18:23.320 So, this is extremely important. Okay? So, 00:18:23.320 --> 00:18:25.559 evidence storage is one of the most 00:18:25.559 --> 00:18:27.960 important components. Your opponent in 00:18:27.960 --> 00:18:31.120 court or in your company will try 00:18:31.120 --> 00:18:33.679 their best to challenge what you 00:18:33.679 --> 00:18:36.360 are presenting. So, you have to safely 00:18:36.360 --> 00:18:38.840 store and protect evidence to maintain 00:18:38.840 --> 00:18:42.080 its integrity. Integrity is the most 00:18:42.080 --> 00:18:44.880 important characteristic or 00:18:44.880 --> 00:18:47.840 consideration in digital forensics-- 00:18:47.840 --> 00:18:51.720 without any other factor coming close. So, integrity 00:18:51.720 --> 00:18:55.360 is everything in digital forensics. Okay? 00:18:55.360 --> 00:18:57.880 Data encryption: There are multiple cases 00:18:57.880 --> 00:19:00.480 in which you will do digital 00:19:00.480 --> 00:19:04.400 forensics on encrypted storage devices, 00:19:04.400 --> 00:19:06.919 encrypted data, or encrypted 00:19:06.919 --> 00:19:11.159 applications. You need to develop the 00:19:11.159 --> 00:19:13.559 ability to handle encrypted data 00:19:13.559 --> 00:19:16.640 and understand the encryption methods. 00:19:16.640 --> 00:19:18.679 Among the publications I have, I have 00:19:18.679 --> 00:19:21.679 over 25 publications on different 00:19:21.679 --> 00:19:25.200 topics and concepts within security. A 00:19:25.200 --> 00:19:28.360 few of them, probably five or six, are 00:19:28.360 --> 00:19:31.400 specifically about encryption. If we want 00:19:31.400 --> 00:19:35.320 to do digital forensics, we must become 00:19:35.320 --> 00:19:38.679 data encryption experts. There is no other 00:19:38.679 --> 00:19:41.400 way. I understand that many people 00:19:41.400 --> 00:19:45.720 don’t like math, statistics, physics, etc., 00:19:45.720 --> 00:19:47.760 but this is a requirement for doing an 00:19:47.760 --> 00:19:50.320 appropriate digital forensic assessment. 00:19:50.320 --> 00:19:53.760 It’s a necessity today. Okay? The other 00:19:53.760 --> 00:19:56.320 consideration, and this is for the people 00:19:56.320 --> 00:19:58.520 who love technology like me attending 00:19:58.520 --> 00:20:01.679 or watching this conference, is network. I 00:20:01.679 --> 00:20:04.480 am a big fan of networks. I have been 00:20:04.480 --> 00:20:07.559 working in networking for 41 years. 00:20:07.559 --> 00:20:09.720 My doctoral degree is in 00:20:09.720 --> 00:20:12.919 telecommunications and cybersecurity. So, 00:20:12.919 --> 00:20:16.880 networking is in my DNA. I love networking more than 00:20:16.880 --> 00:20:20.240 any other topic in information 00:20:20.240 --> 00:20:23.120 technology. Network analysis is the 00:20:23.120 --> 00:20:25.480 ability to analyze network 00:20:25.480 --> 00:20:28.760 traffic logs and data to trace digital 00:20:28.760 --> 00:20:30.760 footprints. I’m pretty sure 00:20:30.760 --> 00:20:34.320 everyone has a tool of mine, and, of course, 00:20:34.320 --> 00:20:37.760 this tool is most likely part of the 00:20:37.760 --> 00:20:39.960 tools I’m going to 00:20:39.960 --> 00:20:42.280 provide in the last slide for you. 00:20:42.280 --> 00:20:44.600 But network analysis today, from a 00:20:44.600 --> 00:20:46.919 digital forensics standpoint, is 00:20:46.919 --> 00:20:49.919 everything. Everything is network-related in 00:20:49.919 --> 00:20:53.280 one or another way. Malware analysis: We 00:20:53.280 --> 00:20:55.640 need to develop the ability to 00:20:55.640 --> 00:20:58.679 understand malware behavior and analysis 00:20:58.679 --> 00:21:02.960 and how those malwares impact systems. 00:21:02.960 --> 00:21:05.080 This needs to be incorporated as part of 00:21:05.080 --> 00:21:07.720 the cybersecurity analysis when 00:21:07.720 --> 00:21:10.840 performing digital forensics today. Cloud 00:21:10.840 --> 00:21:13.600 forensics: I don’t have to highlight how 00:21:13.600 --> 00:21:17.240 important cloud operations are. Okay? We are 00:21:17.240 --> 00:21:19.720 moving operations to the cloud, and 00:21:19.720 --> 00:21:21.640 for those still 00:21:21.640 --> 00:21:24.679 running operations on-premises, there is 00:21:24.679 --> 00:21:27.039 a high expectation that sooner rather than 00:21:27.039 --> 00:21:29.320 later, you will move operations to the cloud for 00:21:29.320 --> 00:21:31.400 multiple conveniences. However, the 00:21:31.400 --> 00:21:33.400 configuration at this point does not fully 00:21:33.400 --> 00:21:36.799 benefit all aspects of the cloud. From 00:21:36.799 --> 00:21:39.559 a forensic standpoint, when you do 00:21:39.559 --> 00:21:42.039 cloud forensics, the situation is a little 00:21:42.039 --> 00:21:45.080 different from 00:21:45.080 --> 00:21:48.279 on-premises investigations. So, you have to 00:21:48.279 --> 00:21:50.640 adapt methodologies for investigating 00:21:50.640 --> 00:21:53.279 data in the cloud, regardless of the 00:21:53.279 --> 00:21:56.039 cloud provider. Here, as a matter, you can see 00:21:56.039 --> 00:22:00.200 AWS, Google, Azure, or anyone else. 00:22:00.200 --> 00:22:02.760 The operation in the cloud is somehow 00:22:02.760 --> 00:22:04.679 different from a digital forensics 00:22:04.679 --> 00:22:07.320 standpoint, starting with how you 00:22:07.320 --> 00:22:08.480 access the data. 00:22:08.480 --> 00:22:12.720 Remote forensics: Remote forensics is the opportunity 00:22:12.720 --> 00:22:16.080 to develop skills for collecting and 00:22:16.080 --> 00:22:19.240 analyzing data from a remote location. 00:22:19.240 --> 00:22:22.000 This is happening more frequently now as 00:22:22.000 --> 00:22:26.000 we become more telework-dependent. 00:22:26.000 --> 00:22:28.960 In multiple cases--my own company, for example, knowing my 00:22:28.960 --> 00:22:31.240 job with the government, but owning my own 00:22:31.240 --> 00:22:33.520 company--I have been doing more remote digital forensics in the last 00:22:33.520 --> 00:22:36.080 two, three years, probably two years. 00:22:38.070 --> 00:22:39.760 Digital forensics that 00:22:39.760 --> 00:22:41.960 than probably ever before in my life. So, this 00:22:41.960 --> 00:22:44.799 is an important skill to develop as well. 00:22:44.799 --> 00:22:47.679 Case management: This is how we use 00:22:47.679 --> 00:22:49.760 digital forensics case management to 00:22:49.760 --> 00:22:52.880 organize and track investigations. I mentioned to 00:22:52.880 --> 00:22:55.840 you that I go to court very often--more 00:22:55.840 --> 00:23:00.039 often than I want, very, very often. 00:23:00.039 --> 00:23:04.279 Okay. And they scrutinize every 00:23:04.279 --> 00:23:06.480 single protocol you present, every single 00:23:06.480 --> 00:23:08.880 artifact, every single document, and the 00:23:08.880 --> 00:23:11.320 specific chronological order. This is a 00:23:11.320 --> 00:23:14.600 complex process. It’s not just collecting 00:23:14.600 --> 00:23:17.760 the data, performing the digital forensics 00:23:17.760 --> 00:23:20.000 analysis, and going to court to testify. 00:23:20.000 --> 00:23:22.960 Okay? The process is much more 00:23:22.960 --> 00:23:25.200 complex than this. 00:23:25.200 --> 00:23:27.400 Collaboration: Collaborate with other 00:23:27.400 --> 00:23:29.240 experts and there's one in the middle 00:23:29.240 --> 00:23:31.520 that I'm going to highlight in a few. 00:23:31.520 --> 00:23:34.080 Collaborate with other experts, law 00:23:34.080 --> 00:23:37.039 enforcement, or organizations for complex 00:23:37.039 --> 00:23:40.120 cases. Cases are different from one another. 00:23:40.120 --> 00:23:41.880 Of course, this is okay, and I know you 00:23:41.880 --> 00:23:44.880 know that. Okay? But you have some cases 00:23:44.880 --> 00:23:47.080 sometimes in which the forensic analysis 00:23:47.080 --> 00:23:50.279 becomes very complex. In those particular 00:23:50.279 --> 00:23:53.120 cases, my advice is to collaborate with 00:23:53.120 --> 00:23:55.720 others. Okay? You do better when you work 00:23:55.720 --> 00:23:58.400 as part of a team and not when you work 00:23:58.400 --> 00:24:01.159 independently. I’ll skip the data 00:24:01.159 --> 00:24:04.120 privacy compliance for a minute because 00:24:04.120 --> 00:24:07.520 this is relevant. Every single state, 00:24:07.520 --> 00:24:09.400 every single... No 00:24:09.400 --> 00:24:14.000 exception. A state court operates on the 00:24:14.000 --> 00:24:16.440 different requirements. So, you want to 00:24:16.440 --> 00:24:19.320 make sure that you follow the privacy 00:24:19.320 --> 00:24:22.799 regulations in your specific place. Okay? 00:24:22.799 --> 00:24:24.600 And by the way, I'm going to ask you a 00:24:24.600 --> 00:24:27.480 question. I'm not expecting any response. 00:24:27.480 --> 00:24:30.440 But the question is: by any chance, do you 00:24:30.440 --> 00:24:33.399 know the specific digital forensic 00:24:33.399 --> 00:24:36.360 regulations in the place you live? Ask 00:24:36.360 --> 00:24:38.919 yourself this question, and probably some 00:24:38.919 --> 00:24:42.320 of you are going to respond "no." This is a 00:24:42.320 --> 00:24:45.279 critical thing. Continuous learning: You 00:24:45.279 --> 00:24:48.319 need to keep asking about what we do. Okay? 00:24:48.319 --> 00:24:51.799 Cybersecurity is an specialization of IT. From 00:24:51.799 --> 00:24:54.520 my point of view, it's the most fascinating 00:24:54.520 --> 00:24:57.320 topic in the world. This is 00:24:57.320 --> 00:25:00.279 the only topic I can talk about 00:25:00.279 --> 00:25:04.399 for 25 hours without drinking water. 00:25:04.399 --> 00:25:07.640 This is my life. I dedicate multiple 00:25:07.640 --> 00:25:10.360 hours every single day, seven days a week, 00:25:10.360 --> 00:25:13.039 even when it creates some personal 00:25:13.039 --> 00:25:15.960 problems with my family, etc. This is in 00:25:15.960 --> 00:25:19.960 my DNA. I encourage each of you, if you 00:25:19.960 --> 00:25:23.679 are not doing so, to dedicate your life to 00:25:23.679 --> 00:25:27.120 become a digital forensics expert. Digital 00:25:27.120 --> 00:25:30.320 forensic is one of the most fascinating 00:25:30.320 --> 00:25:33.120 topics in the planet. Okay. And you want 00:25:33.120 --> 00:25:36.559 to be attentive to these type of things. 00:25:36.559 --> 00:25:38.520 Report and presentation: When you go to 00:25:38.520 --> 00:25:41.360 the court or when you present your 00:25:41.360 --> 00:25:44.080 outcomes of all the digital forensic 00:25:44.080 --> 00:25:46.600 outcomes to your organization, you want 00:25:46.600 --> 00:25:48.360 to make sure that you use clear 00:25:48.360 --> 00:25:52.320 language, you are concise, and you are 00:25:52.320 --> 00:25:54.559 ready for the presentation questions and 00:25:54.559 --> 00:25:56.679 answers. You never want to go to the 00:25:56.679 --> 00:25:59.000 court unprepared. Okay? Never in your 00:25:59.000 --> 00:26:00.880 life. This is not appropriate because, at 00:26:00.880 --> 00:26:04.440 the end your assessment, you have the 00:26:04.440 --> 00:26:07.520 possibility to put somebody in jail or 00:26:07.520 --> 00:26:09.080 somebody will be fired from the 00:26:09.080 --> 00:26:12.320 organization or not. So what we said is 00:26:12.320 --> 00:26:16.200 relevant. Our wording has a huge impact 00:26:16.200 --> 00:26:18.960 in other people's lives. It's important 00:26:18.960 --> 00:26:21.399 to be attentive to that. One of the most 00:26:21.399 --> 00:26:24.720 relevant topic that I have been using in 00:26:24.720 --> 00:26:27.679 my practice is the use of artificial 00:26:27.679 --> 00:26:30.760 intelligence in digital forensic. Since 00:26:30.760 --> 00:26:35.919 2017, this is not a topic that is well 00:26:35.919 --> 00:26:39.480 known. At this point, the reason why I 00:26:39.480 --> 00:26:41.919 really want to share my experience-- 00:26:41.919 --> 00:26:44.919 practical experience with you guys, 00:26:44.919 --> 00:26:47.919 digital evidence analysis, how artificial 00:26:47.919 --> 00:26:51.720 intelligence can help us. Well, everybody 00:26:51.720 --> 00:26:55.320 knows that we have multiple applications 00:26:55.320 --> 00:26:58.399 that we can use in order to analyze 00:26:58.399 --> 00:27:00.480 the different kind of media that can be 00:27:00.480 --> 00:27:03.440 generated. For example, text, image, and 00:27:03.440 --> 00:27:06.279 videos, artificial intelligence studies 00:27:06.279 --> 00:27:09.159 have the ability to detect and flag 00:27:09.159 --> 00:27:11.320 potential relevant content for 00:27:11.320 --> 00:27:13.399 investigations, especially from the 00:27:13.399 --> 00:27:17.000 timing standpoint. Digital forensic is 00:27:17.000 --> 00:27:19.919 extremely time consuming, very, very 00:27:19.919 --> 00:27:23.200 time consuming and complex. This is 00:27:23.200 --> 00:27:27.000 probably along with data recovery the 00:27:27.000 --> 00:27:29.260 most complex specialization in 00:27:29.260 --> 00:27:32.760 cybersecurity. So the use of artificial 00:27:32.760 --> 00:27:35.679 intelligence, in our favor, is very 00:27:35.679 --> 00:27:38.159 convenient. And at the end, I'm going to 00:27:38.159 --> 00:27:40.720 include as well or actually I included 00:27:40.720 --> 00:27:44.039 in the list a particular artificial 00:27:44.039 --> 00:27:45.919 intelligence tool that you can use in 00:27:45.919 --> 00:27:49.159 your favor. The other use of artificial 00:27:49.159 --> 00:27:51.600 intelligence is pattern 00:27:51.600 --> 00:27:54.159 recognition. Artificial intelligence can 00:27:54.159 --> 00:27:56.960 identify patterns in data, helping 00:27:56.960 --> 00:27:59.720 investigators recognize anomalies or 00:27:59.720 --> 00:28:02.720 correlations in digital artifacts that 00:28:02.720 --> 00:28:05.720 may indicate criminal activity. 00:28:05.720 --> 00:28:07.640 Out of the whole sentence, the most 00:28:07.640 --> 00:28:12.000 important question is: "What is the key word?" The key word, 00:28:12.000 --> 00:28:15.080 correlation. How do we correlate data by 00:28:15.080 --> 00:28:17.039 using artificial intelligence? The 00:28:17.039 --> 00:28:19.399 process is going to be simplified 00:28:19.399 --> 00:28:22.000 dramatically. Speaking based on my 00:28:22.000 --> 00:28:25.080 personal experience, the other component is 00:28:25.080 --> 00:28:28.240 NLP. This can be used to analyze 00:28:28.240 --> 00:28:31.440 text-based evidence, including logs 00:28:31.440 --> 00:28:33.919 and emails, to uncover communication 00:28:33.919 --> 00:28:37.039 patterns or hidden minutes. A lot of 00:28:37.039 --> 00:28:39.679 evidence that we collect, about 00:28:39.679 --> 00:28:43.760 65%, is included in emails, chats, 00:28:43.760 --> 00:28:48.080 documents, etc., so this is when NLP plays 00:28:48.080 --> 00:28:49.960 a predominant role in artificial 00:28:49.960 --> 00:28:52.120 intelligence in the digital forensic 00:28:52.120 --> 00:28:55.399 analysis for image and video analysis. It provides 00:28:55.399 --> 00:28:58.159 incredible benefits. Okay? You have the 00:28:58.159 --> 00:29:00.039 ability to analyze multimedia 00:29:00.039 --> 00:29:02.559 content to identify objects, people, and 00:29:02.559 --> 00:29:05.000 potentially illegal or 00:29:05.000 --> 00:29:08.320 sensitive content. I’m sure a word 00:29:08.320 --> 00:29:11.200 is coming to your mind right now, steganography. 00:29:11.200 --> 00:29:14.000 Yes, this is part of steganography, but it's 00:29:14.000 --> 00:29:18.480 not similar to doing steganography by using a 00:29:18.480 --> 00:29:20.440 particular application. When you 00:29:20.440 --> 00:29:23.159 employ artificial intelligence tools 00:29:23.159 --> 00:29:25.279 that are dedicated exclusively to 00:29:25.279 --> 00:29:28.360 digital forensics, the benefit is really 00:29:28.360 --> 00:29:31.080 awesome. Predictive analysis: Machine 00:29:31.080 --> 00:29:33.720 learning models can predict potential 00:29:33.720 --> 00:29:37.120 areas of interest in an investigation, 00:29:37.120 --> 00:29:39.559 guiding forensic experts to focus on 00:29:39.559 --> 00:29:42.039 critical evidence. Imagine that you are 00:29:42.039 --> 00:29:45.279 analyzing a hard drive that is one 00:29:45.279 --> 00:29:49.039 terabyte holds a lot of 00:29:49.039 --> 00:29:52.600 documents, videos, pictures, sounds, etc. You 00:29:52.600 --> 00:29:55.080 know that, right? If you are 00:29:55.080 --> 00:29:56.960 attending this conference, it’s because you 00:29:56.960 --> 00:29:59.360 are very familiar with information 00:29:59.360 --> 00:30:02.880 technology, cybersecurity, and digital forensics. 00:30:02.880 --> 00:30:06.640 Well, how do you find the specific data you 00:30:06.640 --> 00:30:09.480 need to prove something in a court of 00:30:09.480 --> 00:30:12.360 law? You have to be very careful 00:30:12.360 --> 00:30:14.519 about the pieces of data you pick for 00:30:14.519 --> 00:30:17.760 the analysis, otherwise, your 00:30:17.760 --> 00:30:20.080 assessment is not appropriate. And again, 00:30:20.080 --> 00:30:23.000 every single word we say in a court 00:30:23.000 --> 00:30:26.159 of law or in the organization we 00:30:26.159 --> 00:30:29.720 are working for is relevant. It implies 00:30:29.720 --> 00:30:31.799 that probably somebody will be in jail 00:30:31.799 --> 00:30:35.080 for 30 years, or probably somebody, if we’re 00:30:35.080 --> 00:30:38.440 talking about a huge crime like an 00:30:38.440 --> 00:30:41.559 assassination or child pornography abuse, 00:30:41.559 --> 00:30:45.320 will face consequences like death. Our 00:30:45.320 --> 00:30:48.600 assessment is critical. Okay? We become 00:30:48.600 --> 00:30:51.720 the main players when 00:30:51.720 --> 00:30:53.880 digital forensics is involved. We have to 00:30:53.880 --> 00:30:56.240 be very careful about the way we do it. 00:30:56.240 --> 00:30:59.480 This is not a joke; it's very serious. Okay? 00:30:59.480 --> 00:31:01.480 Predictive analysis, machine learning 00:31:01.480 --> 00:31:03.600 models, or artificial intelligence are 00:31:03.600 --> 00:31:06.320 pretty close in this concept and can predict 00:31:06.320 --> 00:31:08.480 potential areas of interest in an 00:31:08.480 --> 00:31:11.240 investigation. But we also talk about 00:31:11.240 --> 00:31:12.880 detection. Artificial intelligence 00:31:12.880 --> 00:31:15.720 driving security tools can identify 00:31:15.720 --> 00:31:17.960 cyber threats and potential cybercrime 00:31:17.960 --> 00:31:21.299 activities, helping law enforcement and cybersecurity 00:31:21.299 --> 00:31:23.600 teams respond effectively and 00:31:23.600 --> 00:31:27.240 proactively. More importantly, the 00:31:27.240 --> 00:31:30.039 majority of us have multiple tools that 00:31:30.039 --> 00:31:31.440 we call proactive 00:31:31.440 --> 00:31:34.519 in our place of work. Okay? We 00:31:34.519 --> 00:31:37.600 have different kinds of monitors, etc. But 00:31:37.600 --> 00:31:39.840 the possibility to do something in a 00:31:39.840 --> 00:31:43.399 proactive mode is really what we want. 00:31:43.399 --> 00:31:45.639 Evidence authentication: Artificial 00:31:45.639 --> 00:31:47.120 intelligence can assist in the 00:31:47.120 --> 00:31:49.360 authentication of digital evidence, 00:31:49.360 --> 00:31:51.440 ensuring its integrity and the 00:31:51.440 --> 00:31:54.200 possibility of this data being admitted 00:31:54.200 --> 00:31:57.399 in court. Data recovery: Artificial 00:31:57.399 --> 00:32:00.440 intelligence helps with the recovery of 00:32:00.440 --> 00:32:02.279 data that has been deleted 00:32:02.279 --> 00:32:05.320 intentionally or unintentionally. It 00:32:05.320 --> 00:32:07.399 doesn't matter. When we do digital 00:32:07.399 --> 00:32:10.919 forensics, we want to have as much data as 00:32:10.919 --> 00:32:14.880 we can to make a case 00:32:14.880 --> 00:32:17.600 against a particular party. From the 00:32:17.600 --> 00:32:20.200 malware analysis standpoint, 00:32:20.200 --> 00:32:23.240 artificial intelligence brings a lot of 00:32:23.240 --> 00:32:25.960 speed, and this is needed because, again, 00:32:25.960 --> 00:32:29.240 you are looking for a needle in a ton of 00:32:29.240 --> 00:32:33.039 water or in a ton of sand, and this 00:32:33.039 --> 00:32:35.639 is very complex. From the network 00:32:35.639 --> 00:32:37.880 forensic standpoint, we are accustomed to 00:32:37.880 --> 00:32:40.720 using tools such as Wireshark, which everybody 00:32:40.720 --> 00:32:44.480 knows, well, anyway, 00:32:44.480 --> 00:32:46.559 there are now specific artificial 00:32:46.559 --> 00:32:49.200 intelligence tools for network forensic 00:32:49.200 --> 00:32:53.240 analysis. I have included two of 00:32:53.240 --> 00:32:56.039 those tools in the list on the last 00:32:56.039 --> 00:32:59.440 slide. Automated trace: This is one of the 00:32:59.440 --> 00:33:01.559 most important considerations for you to 00:33:01.559 --> 00:33:04.000 consider with artificial intelligence in 00:33:04.000 --> 00:33:08.120 digital forensics. Speed is key. It’s basically 00:33:08.120 --> 00:33:11.039 the ability to do 00:33:11.039 --> 00:33:15.960 correlation between large data sets. Case 00:33:15.960 --> 00:33:18.399 priority: Artificial intelligence can 00:33:18.399 --> 00:33:20.480 assist investigators in 00:33:20.480 --> 00:33:23.519 prioritizing cases based on factors like 00:33:23.519 --> 00:33:25.960 severity, potential impact, or resource 00:33:25.960 --> 00:33:29.200 allocation, meaning timing. 00:33:29.200 --> 00:33:31.919 Predictive policing: This is super important 00:33:31.919 --> 00:33:35.039 because, until today, digital forensics has 00:33:35.039 --> 00:33:38.399 always been reactive. We react to 00:33:38.399 --> 00:33:40.840 something that happened. The possibility to 00:33:40.840 --> 00:33:44.120 make predictions in digital forensics is 00:33:44.120 --> 00:33:46.519 fantastic. It has never happened before. 00:33:46.519 --> 00:33:49.240 This is new, at least for me. I started 00:33:49.240 --> 00:33:51.600 using artificial intelligence back in my own 00:33:51.600 --> 00:33:54.919 company in 2017, and I have been able to 00:33:54.919 --> 00:33:55.960 that in 00:33:55.960 --> 00:33:59.399 multiple cases for the police department 00:33:59.399 --> 00:34:02.600 in Miami and in other two cities in 00:34:02.600 --> 00:34:06.639 Florida: Tampa and St. Petersburg. The 00:34:06.639 --> 00:34:09.239 results have been amazing. Document 00:34:09.239 --> 00:34:12.280 analysis: You know that NLP can extract 00:34:12.280 --> 00:34:14.800 information from documents and analyze 00:34:14.800 --> 00:34:17.119 sexual content for investigations. 00:34:17.119 --> 00:34:19.079 Artificial intelligence dramatically minimizes 00:34:19.079 --> 00:34:21.440 the time needed for that. 00:34:21.440 --> 00:34:24.639 Emotional recognition: Everybody 00:34:24.639 --> 00:34:27.760 knows what happened with the DSP 00:34:27.760 --> 00:34:31.560 algorithms. Okay? So we can use artificial 00:34:31.560 --> 00:34:33.918 intelligence to analyze videos, 00:34:33.918 --> 00:34:38.040 which is awesome because our eyes, our 00:34:38.040 --> 00:34:40.239 muscles in our eyes, don't have the 00:34:40.239 --> 00:34:43.399 ability to lie. We can lie when we speak, 00:34:43.399 --> 00:34:46.079 or we can try, but our eyes’ reactions 00:34:46.079 --> 00:34:49.119 to a particular stimulus cannot be hidden 00:34:49.119 --> 00:34:51.960 or cannot be modified. So this is unique. 00:34:51.960 --> 00:34:54.480 From the data privacy and compliance standpoint, you 00:34:54.480 --> 00:34:57.119 also have the ability to 00:34:57.119 --> 00:35:02.680 automate the specific data you want to 00:35:02.680 --> 00:35:06.800 include as part of your report. Okay? Now, 00:35:06.800 --> 00:35:09.280 digital forensic data acquisition steps: 00:35:09.280 --> 00:35:12.400 From my standpoint, after 41 years of experience, 00:35:12.400 --> 00:35:15.480 preservation--we already talked about this. 00:35:15.480 --> 00:35:18.160 Documentation: Preservation is integrity. 00:35:18.160 --> 00:35:21.320 Okay? This is the most important 00:35:21.320 --> 00:35:24.119 consideration, categorically speaking, in 00:35:24.119 --> 00:35:25.880 any kind of digital forensic 00:35:25.880 --> 00:35:28.400 investigation. You have to preserve the 00:35:28.400 --> 00:35:31.320 data as it is. And remember, you never use 00:35:31.320 --> 00:35:33.119 the original data for your forensic 00:35:33.119 --> 00:35:36.520 analysis—-never. You always use a copy. And 00:35:36.520 --> 00:35:40.469 to do copies, you have to use bit-by-bit 00:35:40.469 --> 00:35:43.320 applications. Bit-by-bit—you cannot 00:35:43.320 --> 00:35:46.800 copy bytes, or you cannot copy data 00:35:46.800 --> 00:35:49.160 and forget about the information. So, 00:35:49.160 --> 00:35:52.359 preservation is the most important thing. 00:35:52.359 --> 00:35:54.520 Documentation: We already know that 00:35:54.520 --> 00:35:56.960 everything needs to be documented, okay? 00:35:56.960 --> 00:35:59.960 From the crime scene to the 00:35:59.960 --> 00:36:02.599 last point. Chain of custody: One more 00:36:02.599 --> 00:36:04.640 time, and I guess I’m going to 00:36:04.640 --> 00:36:07.119 mention this one more time because chain 00:36:07.119 --> 00:36:10.280 of custody means or opens the door for 00:36:10.280 --> 00:36:13.079 you to present a case in the court of 00:36:13.079 --> 00:36:17.400 law or to prove, in 00:36:17.400 --> 00:36:20.040 your organization, that what you 00:36:20.040 --> 00:36:22.520 are presenting is appropriate. You have 00:36:22.520 --> 00:36:25.839 to plan how you are going to collect the 00:36:25.839 --> 00:36:29.160 data. you have to plan with anticipation 00:36:29.160 --> 00:36:31.640 the specific tools you are going to use 00:36:31.640 --> 00:36:34.760 what methods are you going to consider 00:36:34.760 --> 00:36:37.200 in your data collection process this is 00:36:37.200 --> 00:36:40.079 relevant and you always have to consider 00:36:40.079 --> 00:36:44.040 the coms coms is probably more important 00:36:44.040 --> 00:36:47.520 than PR when you select or decided to 00:36:47.520 --> 00:36:51.119 use a particular application for the 00:36:51.119 --> 00:36:54.160 data acquisition you always want to 00:36:54.160 --> 00:36:57.359 focus on the negative people usually 00:36:57.359 --> 00:36:59.680 tends to talk about the positive oh I 00:36:59.680 --> 00:37:02.079 like why the Shar because this and that 00:37:02.079 --> 00:37:03.560 it's better that you focus on the 00:37:03.560 --> 00:37:06.880 negative in Information Technology 00:37:06.880 --> 00:37:09.599 everything has cross and comes no 00:37:09.599 --> 00:37:13.240 exceptions exceptions do not exist there 00:37:13.240 --> 00:37:16.839 is not one exception everything positive 00:37:16.839 --> 00:37:18.760 have something negative in information 00:37:18.760 --> 00:37:20.880 technology and this is what you want to 00:37:20.880 --> 00:37:24.599 focus on it to avoid problems at the end 00:37:24.599 --> 00:37:27.800 Okay so 00:37:27.800 --> 00:37:29.800 how about the verification process you 00:37:29.800 --> 00:37:33.800 have to verify before you work with the 00:37:33.800 --> 00:37:36.640 real data that the tools and methods you 00:37:36.640 --> 00:37:39.960 selected work okay you never want to 00:37:39.960 --> 00:37:42.560 mess up with the original data needed 00:37:42.560 --> 00:37:45.359 with a copy you want to test in a test 00:37:45.359 --> 00:37:48.359 environment your tools your methods your 00:37:48.359 --> 00:37:50.400 approach the steps you are going to 00:37:50.400 --> 00:37:53.440 follow is very time consuming it is but 00:37:53.440 --> 00:37:56.960 by the way it's also very well paid is 00:37:56.960 --> 00:37:58.920 very well paid the only thing I can tell 00:37:58.920 --> 00:38:00.880 you that it's very well paid you have no 00:38:00.880 --> 00:38:04.359 idea if you become a cyber security 00:38:04.359 --> 00:38:07.200 expert and specialize in digital 00:38:07.200 --> 00:38:10.680 forensic this is where the money is and 00:38:10.680 --> 00:38:13.240 trust me this is where the money is okay 00:38:13.240 --> 00:38:17.599 I'm telling you first person duplication 00:38:17.599 --> 00:38:21.000 we talk about that already the only way 00:38:21.000 --> 00:38:23.960 to do that is by creating bit forbit 00:38:23.960 --> 00:38:27.119 image there is no other ways okay this 00:38:27.119 --> 00:38:29.920 is why you you want to use PR blocking 00:38:29.920 --> 00:38:31.920 devices software and Hardware I 00:38:31.920 --> 00:38:34.560 mentioned that before Tex rooms and 00:38:34.560 --> 00:38:37.040 hatching different concepts that some 00:38:37.040 --> 00:38:40.160 people are still confusing about it okay 00:38:40.160 --> 00:38:42.040 there is a huge difference between the 00:38:42.040 --> 00:38:46.040 two the main one is that Asing is a 00:38:46.040 --> 00:38:49.760 oneway function you go from the left to 00:38:49.760 --> 00:38:51.920 the right and usually you don't have the 00:38:51.920 --> 00:38:53.720 ability to come back to replicate the 00:38:53.720 --> 00:38:56.839 process of course if you have the 00:38:56.839 --> 00:38:59.280 algorithms on hand then you can do 00:38:59.280 --> 00:39:02.040 reverse engineering this is obvious but 00:39:02.040 --> 00:39:04.319 this is not what happen in regular 00:39:04.319 --> 00:39:06.920 conditions okay so check zoom and 00:39:06.920 --> 00:39:10.319 hatching both minimize the possibility 00:39:10.319 --> 00:39:13.200 that you mistake in your digital 00:39:13.200 --> 00:39:15.640 forensic ER 00:39:15.640 --> 00:39:18.240 analysis the other component is 00:39:18.240 --> 00:39:21.599 acquisition okay so how are you going to 00:39:21.599 --> 00:39:23.599 collect the data what particular tools 00:39:23.599 --> 00:39:26.040 are you going to use you always have to 00:39:26.040 --> 00:39:29.359 maintain a strict R only access to the 00:39:29.359 --> 00:39:31.560 source if you have the ability to 00:39:31.560 --> 00:39:34.640 manipulate the data in the source you 00:39:34.640 --> 00:39:37.640 have the ability to tamper with actually 00:39:37.640 --> 00:39:39.680 the most important consideration out of 00:39:39.680 --> 00:39:43.680 the CIA which is integrity if the 00:39:43.680 --> 00:39:46.920 opponent is the opposite part to you in 00:39:46.920 --> 00:39:49.560 your organization the defendant in other 00:39:49.560 --> 00:39:53.520 words have the ability to prove that 00:39:53.520 --> 00:39:56.880 the the original data or source can be 00:39:56.880 --> 00:39:58.960 manipulated in any way the conversation 00:39:58.960 --> 00:40:01.920 is 100% over and the case will be 00:40:01.920 --> 00:40:04.319 dismissed categorically speaking it's no 00:40:04.319 --> 00:40:07.839 more conversation so this is a humongous 00:40:07.839 --> 00:40:10.440 responsibility when it comes to data 00:40:10.440 --> 00:40:12.920 acquisition what protocols you use what 00:40:12.920 --> 00:40:14.800 the specific tools how do you plan it 00:40:14.800 --> 00:40:17.040 how you document is a very painful 00:40:17.040 --> 00:40:21.319 process in other words okay now data 00:40:21.319 --> 00:40:24.480 recovery we already talk about the 00:40:24.480 --> 00:40:27.400 complexity of finding a needle in a tone 00:40:27.400 --> 00:40:30.440 of s this is super complex okay but it's 00:40:30.440 --> 00:40:34.079 doable the only thing you have to use is 00:40:34.079 --> 00:40:36.000 the appropriate tools and you you need 00:40:36.000 --> 00:40:38.440 to have a specific plan because every 00:40:38.440 --> 00:40:41.960 single case is 100% different digital 00:40:41.960 --> 00:40:44.800 signatures sign the acquire data in 00:40:44.800 --> 00:40:48.400 hatches with a dig digital signature for 00:40:48.400 --> 00:40:50.440 authentication there are multiple cases 00:40:50.440 --> 00:40:53.960 today in which H signatures are not 00:40:53.960 --> 00:40:56.960 accepted anymore in the go government I 00:40:56.960 --> 00:40:58.800 am a Federal Officer for the US 00:40:58.800 --> 00:41:01.920 Department of Commerce in USA in the 00:41:01.920 --> 00:41:04.560 government we are not allowed to sign 00:41:04.560 --> 00:41:07.680 anything by hand for many years back 00:41:07.680 --> 00:41:11.599 many years okay digital signatures have 00:41:11.599 --> 00:41:15.720 a specific component that minimize 00:41:15.720 --> 00:41:18.240 dramatically speaking the possibility of 00:41:18.240 --> 00:41:20.720 replication and this is why this is 00:41:20.720 --> 00:41:23.359 accepted in the court of law 00:41:23.359 --> 00:41:26.000 verification R verifies the Integrity of 00:41:26.000 --> 00:41:29.440 that Qui image by comparing hash values 00:41:29.440 --> 00:41:32.240 with those calculated before the hash 00:41:32.240 --> 00:41:36.280 values must be exact no difference not 00:41:36.280 --> 00:41:39.079 even in one 00:41:39.079 --> 00:41:43.280 0.001 percentage most much 100% 00:41:43.280 --> 00:41:46.520 categorically speaking otherwise the 00:41:46.520 --> 00:41:49.119 court is going to dismiss the case as 00:41:49.119 --> 00:41:52.240 well or the organization probably is not 00:41:52.240 --> 00:41:55.119 going to take the appropriate action vus 00:41:55.119 --> 00:41:59.119 in a particular individual or problem or 00:41:59.119 --> 00:42:03.079 process okay LS and no we already talk 00:42:03.079 --> 00:42:05.560 about documentation at the beginning you 00:42:05.560 --> 00:42:09.280 have to actually make sure that 00:42:09.280 --> 00:42:12.240 everything is timestamped as I mentioned 00:42:12.240 --> 00:42:15.040 before at the beginning digital forensic 00:42:15.040 --> 00:42:18.440 must be collected in a particular order 00:42:18.440 --> 00:42:21.400 analyzed in the similar Manner and 00:42:21.400 --> 00:42:24.599 presented in the report in the specific 00:42:24.599 --> 00:42:28.040 order in which the process was done 00:42:28.040 --> 00:42:31.160 otherwise the process is going to be 00:42:31.160 --> 00:42:33.720 disqualified and this is exclusively at 00:42:33.720 --> 00:42:36.880 this point our own responsibility and 00:42:36.880 --> 00:42:41.520 nobody else okay the storage we already 00:42:41.520 --> 00:42:44.880 know that gain of custody is one of the 00:42:44.880 --> 00:42:46.520 most important component there are 00:42:46.520 --> 00:42:49.160 multiple forms depending of the state in 00:42:49.160 --> 00:42:51.960 which you live and the countries as well 00:42:51.960 --> 00:42:54.680 that you have to follow anything if you 00:42:54.680 --> 00:42:57.559 miss a check mark or if you put a check 00:42:57.559 --> 00:43:00.400 mark on those particular forms you are 00:43:00.400 --> 00:43:04.079 basically dismissing you the case you 00:43:04.079 --> 00:43:06.720 intentionally the court doesn't work in 00:43:06.720 --> 00:43:10.040 the way many of us believe okay we have 00:43:10.040 --> 00:43:12.280 the possibility to put somebody in the 00:43:12.280 --> 00:43:16.359 electric share or to release to provide 00:43:16.359 --> 00:43:18.520 to this particular individual or 00:43:18.520 --> 00:43:21.880 organization what we said is relevant 00:43:21.880 --> 00:43:24.400 okay this is very important the brift 00:43:24.400 --> 00:43:26.119 you always have to be in Comm 00:43:26.119 --> 00:43:29.640 communication with all parties both the 00:43:29.640 --> 00:43:32.359 one presenting the digital process or 00:43:32.359 --> 00:43:35.359 ruling the process and the other part as 00:43:35.359 --> 00:43:39.520 well you cannot hide anything Zero from 00:43:39.520 --> 00:43:41.880 your opponents in the court of law or 00:43:41.880 --> 00:43:44.720 for the defendant part never in your 00:43:44.720 --> 00:43:47.559 life this is why the first bullet in the 00:43:47.559 --> 00:43:50.040 whole presentation was as you may 00:43:50.040 --> 00:43:54.079 remember ethics okay in digital forensic 00:43:54.079 --> 00:43:57.480 we provide what we known to the other 00:43:57.480 --> 00:44:00.440 parties as well even to the defendant to 00:44:00.440 --> 00:44:03.119 the opponents every single time no 00:44:03.119 --> 00:44:06.520 exception and we provide every single 00:44:06.520 --> 00:44:09.559 artifact with the most clear possible 00:44:09.559 --> 00:44:12.480 explanation to the opponents this is how 00:44:12.480 --> 00:44:14.880 the digital forensic process work 00:44:14.880 --> 00:44:17.720 otherwise it will be dismissed as well 00:44:17.720 --> 00:44:20.839 in the court steing you have to make 00:44:20.839 --> 00:44:24.160 sure that every single piece of digital 00:44:24.160 --> 00:44:27.000 evidence is 00:44:27.000 --> 00:44:30.520 properly still then that you follow the 00:44:30.520 --> 00:44:32.720 process by the book again if you Skip 00:44:32.720 --> 00:44:36.640 One Step just one out of 100 or 200s 00:44:36.640 --> 00:44:39.520 depending of the case the case is going 00:44:39.520 --> 00:44:42.720 to be this measure no exceptions the Cod 00:44:42.720 --> 00:44:46.319 goes by the book as you can imagine and 00:44:46.319 --> 00:44:48.000 your opponent is going to be very 00:44:48.000 --> 00:44:50.200 attentive to to the minimum possible 00:44:50.200 --> 00:44:53.839 failure to dismiss the case okay so how 00:44:53.839 --> 00:44:56.200 you transport the data from one place to 00:44:56.200 --> 00:44:59.240 the other place chain of custody this is 00:44:59.240 --> 00:45:02.760 the key component chain of custody data 00:45:02.760 --> 00:45:06.200 encryption you have to make sure that 00:45:06.200 --> 00:45:10.440 you prevent or actually Pro prevent a 00:45:10.440 --> 00:45:13.119 Integrity manipulation and you always 00:45:13.119 --> 00:45:16.319 want to meure the confidentiality of the 00:45:16.319 --> 00:45:19.000 data CIA we already talked about the 00:45:19.000 --> 00:45:21.520 component confidentiality Integrity 00:45:21.520 --> 00:45:23.480 availability from the digital forensic 00:45:23.480 --> 00:45:26.319 standpoint the most important no 00:45:26.319 --> 00:45:29.880 exception is integrity and also the 00:45:29.880 --> 00:45:32.319 confidentiality okay so from the 00:45:32.319 --> 00:45:35.200 recovery image standpoint you always 00:45:35.200 --> 00:45:37.960 want to have a duplicate for validation 00:45:37.960 --> 00:45:40.760 and reanalysis and remember that you 00:45:40.760 --> 00:45:43.559 always want to work with a copy of the 00:45:43.559 --> 00:45:47.920 digital evidence 100% of the time no 9 00:45:47.920 --> 00:45:50.680 you have to preserve the original 00:45:50.680 --> 00:45:52.720 evidence this is part of our 00:45:52.720 --> 00:45:56.480 responsibility and this is why we do bit 00:45:56.480 --> 00:46:00.480 by bit analysis and bit by bit copy it's 00:46:00.480 --> 00:46:04.200 complex okay now a specific step in 00:46:04.200 --> 00:46:06.079 digital forensics to analyze the 00:46:06.079 --> 00:46:08.720 collected data at this point you already 00:46:08.720 --> 00:46:10.880 went through multiple process and spent 00:46:10.880 --> 00:46:14.359 a lot of time how do you analyze the 00:46:14.359 --> 00:46:16.079 data you have because you are going to 00:46:16.079 --> 00:46:19.400 have probably terabytes of data okay 00:46:19.400 --> 00:46:23.680 well you have to make sure that hashing 00:46:23.680 --> 00:46:27.440 and TS digital signatures and the chain 00:46:27.440 --> 00:46:31.480 of custody have been followed data 00:46:31.480 --> 00:46:34.000 priorization what happens and what is 00:46:34.000 --> 00:46:35.880 more relevant you cannot present in the 00:46:35.880 --> 00:46:38.800 court two terabytes of data or 2,000 00:46:38.800 --> 00:46:41.640 Pages this is Irrelevant for the case 00:46:41.640 --> 00:46:44.240 okay you have to make sure that you use 00:46:44.240 --> 00:46:47.240 keywords in order to provide a solid 00:46:47.240 --> 00:46:49.680 report to the court for this particular 00:46:49.680 --> 00:46:52.839 case for the keywords artificial 00:46:52.839 --> 00:46:56.000 intelligence have been proven to me that 00:46:56.000 --> 00:46:59.319 is of huge help file caring you have to 00:46:59.319 --> 00:47:02.119 use a specialized tool to recover files 00:47:02.119 --> 00:47:05.480 that may been deleted or you 00:47:05.480 --> 00:47:08.760 intentionally hiting timeline analysis 00:47:08.760 --> 00:47:11.440 we talk about you have to do everything 00:47:11.440 --> 00:47:13.920 by following a particular sequence of 00:47:13.920 --> 00:47:16.720 activities in other words you have to 00:47:16.720 --> 00:47:18.760 present and do the analysis in 00:47:18.760 --> 00:47:21.280 chronological order in the way that you 00:47:21.280 --> 00:47:23.880 collect the data this is the exact way 00:47:23.880 --> 00:47:26.040 you do the analysis and later you do 00:47:26.040 --> 00:47:28.119 correlation okay but you have to follow 00:47:28.119 --> 00:47:30.760 a particular chronological order data 00:47:30.760 --> 00:47:33.440 recovery you have to do your best to 00:47:33.440 --> 00:47:35.520 reconstruct the data that have been 00:47:35.520 --> 00:47:38.559 deleted or probably damaged even by a 00:47:38.559 --> 00:47:40.880 physical or electronic condition in the 00:47:40.880 --> 00:47:43.680 storage media the metadata analysis is 00:47:43.680 --> 00:47:46.240 also complex okay this is the next 00:47:46.240 --> 00:47:49.240 component after the time the timeline 00:47:49.240 --> 00:47:52.040 analysis metadata includes multiple kind 00:47:52.040 --> 00:47:54.880 of data so this part of the analysis is 00:47:54.880 --> 00:47:57.359 going to be complete colle and more time 00:47:57.359 --> 00:47:59.520 consuming than the data collection and 00:47:59.520 --> 00:48:02.319 the data collection is already very time 00:48:02.319 --> 00:48:04.760 consuming content analysis you have to 00:48:04.760 --> 00:48:06.280 be very careful because this is 00:48:06.280 --> 00:48:08.960 basically what the forensic analysis is 00:48:08.960 --> 00:48:12.240 going to be parent recognition how you 00:48:12.240 --> 00:48:15.800 can match one bit of data with another 00:48:15.800 --> 00:48:19.040 bit okay is there any association 00:48:19.040 --> 00:48:23.359 between bits between bites between data 00:48:23.359 --> 00:48:26.640 between words this is a iCal 00:48:26.640 --> 00:48:29.400 component communication analysis again 00:48:29.400 --> 00:48:31.319 you want to make sure that you include 00:48:31.319 --> 00:48:34.680 everything emails today are probably the 00:48:34.680 --> 00:48:37.760 most relevant component of digital 00:48:37.760 --> 00:48:39.800 forening analysis you wants to make sure 00:48:39.800 --> 00:48:42.839 that you master email analysis as well 00:48:42.839 --> 00:48:45.640 data encryption you always have to keep 00:48:45.640 --> 00:48:48.079 in mind the confidentiality and when we 00:48:48.079 --> 00:48:50.520 are talking about the recovery or the 00:48:50.520 --> 00:48:53.160 recovery image I mentioned that as well 00:48:53.160 --> 00:48:56.040 similar to the chain of custody before 00:48:56.040 --> 00:48:58.160 because you always have to pres the 00:48:58.160 --> 00:49:01.240 digital the original data evidence 00:49:01.240 --> 00:49:03.000 examination you want to make sure that 00:49:03.000 --> 00:49:06.000 you verify the Integrity of the data you 00:49:06.000 --> 00:49:08.799 have been acquiring including hash value 00:49:08.799 --> 00:49:11.440 digital signature and the chain of 00:49:11.440 --> 00:49:14.119 custodies we talk about this already 00:49:14.119 --> 00:49:16.880 this is a repeat of the slide by the way 00:49:16.880 --> 00:49:20.480 okay so database examination and you 00:49:20.480 --> 00:49:23.760 foring a duplicate slide so this slide 00:49:23.760 --> 00:49:27.680 is the same to this okay so my apology 00:49:27.680 --> 00:49:30.680 for that it's my fault data database 00:49:30.680 --> 00:49:33.000 examination investigate databases for 00:49:33.000 --> 00:49:35.480 valueable valuable information including 00:49:35.480 --> 00:49:38.760 structure data and locks entries Etc 00:49:38.760 --> 00:49:41.240 media analysis this is a very complex 00:49:41.240 --> 00:49:43.960 process because it's usually about atigo 00:49:43.960 --> 00:49:47.200 or include testigo and this is about 00:49:47.200 --> 00:49:50.040 image videos audios geolocation in 00:49:50.040 --> 00:49:52.319 digital signatures Network traffic 00:49:52.319 --> 00:49:56.359 analysis tools as why the Shar h but my 00:49:56.359 --> 00:49:59.160 suggestion is that you use all the tools 00:49:59.160 --> 00:50:02.119 that are part of the artificial 00:50:02.119 --> 00:50:04.720 intelligence applications we can use 00:50:04.720 --> 00:50:06.839 today and are available in the 00:50:06.839 --> 00:50:10.520 market estigo is always complex okay 00:50:10.520 --> 00:50:14.079 because stigo include not only image but 00:50:14.079 --> 00:50:16.880 in many cases audio as well and this is 00:50:16.880 --> 00:50:19.720 very complex time consuming you always 00:50:19.720 --> 00:50:22.359 wants to make sure that you use the 00:50:22.359 --> 00:50:24.359 appropriate estigo analysis techniques 00:50:24.359 --> 00:50:27.160 and that are multiple specific for 00:50:27.160 --> 00:50:29.960 volatile analysis as I mentioned before 00:50:29.960 --> 00:50:33.440 there is multiple ways to do 00:50:33.440 --> 00:50:37.599 data acquisition from RAM memory when we 00:50:37.599 --> 00:50:41.240 turn off the computer all the data from 00:50:41.240 --> 00:50:44.200 Ram doesn't goes off this is what 00:50:44.200 --> 00:50:47.319 everybody said this is what Google said 00:50:47.319 --> 00:50:48.960 this is what people that never do 00:50:48.960 --> 00:50:51.920 forensic investigation repeat this is 00:50:51.920 --> 00:50:54.920 not appropriate if you know how to do it 00:50:54.920 --> 00:50:57.480 and again I make the presentation for e 00:50:57.480 --> 00:51:00.440 councel in 2019 if you Google my name in 00:51:00.440 --> 00:51:02.640 this presentation you will be able to 00:51:02.640 --> 00:51:05.880 find a particular video in which I was 00:51:05.880 --> 00:51:08.359 able to recover data from RAM memory 00:51:08.359 --> 00:51:12.119 after the computer was took down took 00:51:12.119 --> 00:51:15.000 down believe it or not go for the other 00:51:15.000 --> 00:51:16.839 presentation that this is DC councel 00:51:16.839 --> 00:51:19.079 database and you will be able to see the 00:51:19.079 --> 00:51:21.640 video okay comparison you have to do 00:51:21.640 --> 00:51:24.359 cross reference every single time to 00:51:24.359 --> 00:51:27.040 make sure that the data you identify is 00:51:27.040 --> 00:51:30.359 appropriate and you always identify 00:51:30.359 --> 00:51:32.760 identity deviations and 00:51:32.760 --> 00:51:35.240 inconsistency before you do the final 00:51:35.240 --> 00:51:38.079 report I told you already when you 00:51:38.079 --> 00:51:40.839 present the report in the court of law 00:51:40.839 --> 00:51:44.359 and minimum mistake something minimum 00:51:44.359 --> 00:51:46.839 will be disqualified in the case for 00:51:46.839 --> 00:51:49.599 example in this presentation I include 00:51:49.599 --> 00:51:53.480 IED by mistake this slide and this slide 00:51:53.480 --> 00:51:56.000 if I do that in the in the court of flow 00:51:56.000 --> 00:51:56.960 is 00:51:56.960 --> 00:52:00.040 dismiss okay that's it it's no more 00:52:00.040 --> 00:52:02.400 conversation the emotion analysis we 00:52:02.400 --> 00:52:04.680 have talk about that we are talking 00:52:04.680 --> 00:52:07.839 about persons digital evidence is always 00:52:07.839 --> 00:52:11.920 related to people in process processes 00:52:11.920 --> 00:52:14.839 applications Hardware software so we 00:52:14.839 --> 00:52:17.920 want to make sure that what we present 00:52:17.920 --> 00:52:20.160 is accurate and from the documentation 00:52:20.160 --> 00:52:22.720 at some point it was the second point in 00:52:22.720 --> 00:52:25.400 the presentation we have to document 00:52:25.400 --> 00:52:28.240 everything reporting is about compiling 00:52:28.240 --> 00:52:31.559 in a clear and comprehensive manner 00:52:31.559 --> 00:52:33.720 including summaries methodologist and 00:52:33.720 --> 00:52:35.880 supporting evidence you have to include 00:52:35.880 --> 00:52:39.000 or at least in my case I always include 00:52:39.000 --> 00:52:41.960 the recordings of everything I do 00:52:41.960 --> 00:52:43.960 everything means even if I open my 00:52:43.960 --> 00:52:46.280 personal email or if a notification come 00:52:46.280 --> 00:52:48.799 to my computer and I open something in 00:52:48.799 --> 00:52:52.640 my my in my WhatsApp for example this is 00:52:52.640 --> 00:52:55.760 part of the recording as well okay so 00:52:55.760 --> 00:52:58.359 you have to make sure that you provide 00:52:58.359 --> 00:53:00.920 an expert testimony in order to do that 00:53:00.920 --> 00:53:02.359 you have to be an expert in digital 00:53:02.359 --> 00:53:06.000 currency Feer review consult with other 00:53:06.000 --> 00:53:08.280 with your partners with the opponent 00:53:08.280 --> 00:53:10.680 with the defendant part before you 00:53:10.680 --> 00:53:12.240 present it's not that you are going to 00:53:12.240 --> 00:53:14.799 modify to report because the defendant 00:53:14.799 --> 00:53:16.640 doesn't like it this is not what I'm 00:53:16.640 --> 00:53:18.920 telling you it's just that you are going 00:53:18.920 --> 00:53:21.359 to provide the report and by the way you 00:53:21.359 --> 00:53:24.119 must provide the report to the defendant 00:53:24.119 --> 00:53:26.720 before you go to the Court by the time 00:53:26.720 --> 00:53:28.480 you stand up in the court everything 00:53:28.480 --> 00:53:30.240 needs to be done the other part need to 00:53:30.240 --> 00:53:32.680 know exactly what you are going to 00:53:32.680 --> 00:53:35.280 present this is how the legal systems 00:53:35.280 --> 00:53:38.280 work okay with deceptions of very few 00:53:38.280 --> 00:53:41.000 countries but in the world this is how 00:53:41.000 --> 00:53:44.400 it work so the quality assurance is just 00:53:44.400 --> 00:53:46.240 making sure that what you present is 00:53:46.240 --> 00:53:49.480 appropriate the case management is how 00:53:49.480 --> 00:53:51.400 you use the digital forensic and manage 00:53:51.400 --> 00:53:53.680 system to track everything in analysis 00:53:53.680 --> 00:53:56.440 process and from the data privacy 00:53:56.440 --> 00:53:58.559 compliance I told you already every 00:53:58.559 --> 00:54:00.440 single place every single City every 00:54:00.440 --> 00:54:02.559 single state operate under different 00:54:02.559 --> 00:54:04.920 conditions popular tool for digital 00:54:04.920 --> 00:54:08.680 forensic few of those in Cas 00:54:08.680 --> 00:54:11.720 autopsy Access Data everybody know how 00:54:11.720 --> 00:54:14.559 is a forensic tool kit hway forensic 00:54:14.559 --> 00:54:17.960 celebrity vola volatility wi sh 00:54:17.960 --> 00:54:20.520 everybody most likely know oxygen 00:54:20.520 --> 00:54:22.839 forensic detective and the digital 00:54:22.839 --> 00:54:25.319 evidence and forensic tool kit so some 00:54:25.319 --> 00:54:28.160 of those are included in Cali others do 00:54:28.160 --> 00:54:31.359 not some are open source others are 00:54:31.359 --> 00:54:34.119 extremely expensive for example in case 00:54:34.119 --> 00:54:37.280 which is very very expensive some 00:54:37.280 --> 00:54:39.280 relevant reference about digital 00:54:39.280 --> 00:54:43.000 forensic I prefer to use keywords and 00:54:43.000 --> 00:54:45.599 not particular reference or books 00:54:45.599 --> 00:54:49.000 because I don't recommend any specific 00:54:49.000 --> 00:54:51.960 book instead the combination of content 00:54:51.960 --> 00:54:54.160 and knowledge and expertise but some 00:54:54.160 --> 00:54:56.480 words or key words you can use if you 00:54:56.480 --> 00:54:58.960 want to expand more in digital forensic 00:54:58.960 --> 00:55:02.079 are digital forensic best practice 00:55:02.079 --> 00:55:04.839 challenge iMobile digital forensic 00:55:04.839 --> 00:55:07.000 Network forensic techniques Cloud 00:55:07.000 --> 00:55:09.559 forensic investigations Internet of 00:55:09.559 --> 00:55:12.839 Things forensic memory forensic analysis 00:55:12.839 --> 00:55:14.799 because you want to stop repeating what 00:55:14.799 --> 00:55:17.119 you have been learning for years when 00:55:17.119 --> 00:55:19.160 you took down the computer with the 00:55:19.160 --> 00:55:21.240 computer is turn it 00:55:21.240 --> 00:55:24.119 off and there is a lot of data that 00:55:24.119 --> 00:55:26.760 remains in r memory for a particular 00:55:26.760 --> 00:55:30.520 amount of time of course okay so try to 00:55:30.520 --> 00:55:32.880 expand on this topic malware analysis in 00:55:32.880 --> 00:55:35.440 digital forensic and cyber security and 00:55:35.440 --> 00:55:37.839 digital forensic Trends those are 00:55:37.839 --> 00:55:41.240 keywords that will be facilitating your 00:55:41.240 --> 00:55:44.280 expansion or you expanding on digital 00:55:44.280 --> 00:55:48.240 forensic knowledge other 00:55:48.240 --> 00:55:50.880 considerations are some particular 00:55:50.880 --> 00:55:54.240 journals okay I in this case I'm going 00:55:54.240 --> 00:55:56.799 to risk and recommend the digital 00:55:56.799 --> 00:55:59.720 investigation that is published by xier 00:55:59.720 --> 00:56:02.480 is one of the top in the world the other 00:56:02.480 --> 00:56:04.599 one is the Journal of digital forensic 00:56:04.599 --> 00:56:07.559 security and law and forensic science 00:56:07.559 --> 00:56:12.160 International digital investigation 00:56:12.839 --> 00:56:15.520 report I'm open to any question you may 00:56:15.520 --> 00:56:19.319 have and one more time I want before I 00:56:19.319 --> 00:56:22.440 close my lips I want to sincerely thank 00:56:22.440 --> 00:56:25.160 you EC Council for another opportunity 00:56:25.160 --> 00:56:27.760 to talk about this fascinating topic 00:56:27.760 --> 00:56:29.880 thank you very much for all the staff in 00:56:29.880 --> 00:56:34.079 the e Council that work tily who made 00:56:34.079 --> 00:56:37.079 this presentation a possibility and 00:56:37.079 --> 00:56:39.000 thank you so much as well for you guys 00:56:39.000 --> 00:56:41.160 attending the conf the conference and 00:56:41.160 --> 00:56:44.440 for the questions that you may 00:56:44.880 --> 00:56:47.559 ask thank you very much Dr Lewis for 00:56:47.559 --> 00:56:49.200 such an insightful and informative 00:56:49.200 --> 00:56:50.760 session that was really a very 00:56:50.760 --> 00:56:52.880 interesting webinar and we hope it was 00:56:52.880 --> 00:56:55.480 worth your time too now now before we 00:56:55.480 --> 00:56:57.280 begin with the Q&A I would like to 00:56:57.280 --> 00:56:59.680 inform all the attendees that EC 00:56:59.680 --> 00:57:03.119 council's CH maps to the forensic 00:57:03.119 --> 00:57:05.319 investigator and the consultant digital 00:57:05.319 --> 00:57:07.760 forensics anyone with the chfi 00:57:07.760 --> 00:57:10.079 certification is eligible for 4,000 plus 00:57:10.079 --> 00:57:12.200 job vacancies globally with an average 00:57:12.200 --> 00:57:13.240 salary of 00:57:13.240 --> 00:57:15.319 $95,000 if you're interested to learn 00:57:15.319 --> 00:57:17.079 more andly take part in the poll that's 00:57:17.079 --> 00:57:18.839 going to be conducted now let us know 00:57:18.839 --> 00:57:20.240 your preferred mode of training and we 00:57:20.240 --> 00:57:23.039 will reach out to you 00:57:23.799 --> 00:57:26.599 soon 00:57:26.599 --> 00:57:29.440 uh Dr L shall we start with the 00:57:29.440 --> 00:57:32.119 Q&A yes I'm ready 00:57:32.119 --> 00:57:35.319 for okay our first question is how to 00:57:35.319 --> 00:57:38.640 prove in court of law that the collected 00:57:38.640 --> 00:57:40.839 evidence is from the same object and not 00:57:40.839 --> 00:57:43.160 collected from any other 00:57:43.160 --> 00:57:46.400 object this is a very important question 00:57:46.400 --> 00:57:48.720 I really appreciate the clarification on 00:57:48.720 --> 00:57:51.640 this topic as I said we have to be very 00:57:51.640 --> 00:57:53.520 careful about the way we collect the 00:57:53.520 --> 00:57:56.400 data when we are talking about objects 00:57:56.400 --> 00:57:59.760 objects are associated to bits not to 00:57:59.760 --> 00:58:02.359 bikes only but Bits And as I mention 00:58:02.359 --> 00:58:05.760 multiple times when we do the copy of 00:58:05.760 --> 00:58:08.680 the original data we want to make sure 00:58:08.680 --> 00:58:11.960 that we always do bit by bit when you do 00:58:11.960 --> 00:58:16.640 bit by bit and not B by B because a bit 00:58:16.640 --> 00:58:21.599 implies up to 3.4 volts in electricity 00:58:21.599 --> 00:58:24.119 we are eliminating the possibility of 00:58:24.119 --> 00:58:27.839 mistake objects are bigger a bit do not 00:58:27.839 --> 00:58:31.039 constitute an object objects are formed 00:58:31.039 --> 00:58:34.200 by multiple bits this is why we have to 00:58:34.200 --> 00:58:37.039 do the analysis bit by bit and I 00:58:37.039 --> 00:58:40.240 mentioned that multiple 00:58:42.079 --> 00:58:44.200 times thank you for answering that 00:58:44.200 --> 00:58:46.520 question our next question is what kind 00:58:46.520 --> 00:58:48.839 of forensic data can we obtain from the 00:58:48.839 --> 00:58:51.039 encrypted data where the key is not 00:58:51.039 --> 00:58:53.720 available to decrypt the 00:58:53.720 --> 00:58:58.280 data could you please repeat the 00:58:58.520 --> 00:59:01.520 question what kind of forensic data can 00:59:01.520 --> 00:59:04.079 be obtained from the encrypted data 00:59:04.079 --> 00:59:05.880 where the key is not available to 00:59:05.880 --> 00:59:08.599 decrypt the 00:59:09.319 --> 00:59:13.039 data you encryp 00:59:13.039 --> 00:59:16.119 data uh I'll just P the question to you 00:59:16.119 --> 00:59:19.599 on chat uh Dr 00:59:19.599 --> 00:59:23.200 Ls I'm not watching the chat right now 00:59:23.200 --> 00:59:26.640 something happened 00:59:28.319 --> 00:59:30.359 I'm not watching the 00:59:30.359 --> 00:59:34.680 shat sorry H long hello hello hello can 00:59:34.680 --> 00:59:35.960 you hear 00:59:35.960 --> 00:59:39.960 me yes I can hear you yes I have posted 00:59:39.960 --> 00:59:43.440 the question on the chat Dr leis okay 00:59:43.440 --> 00:59:47.480 okay please yes I have already pasted 00:59:47.480 --> 00:59:50.599 okay let me check 00:59:53.640 --> 00:59:56.400 here 00:59:56.400 --> 00:59:59.680 okay give me a second okay what kind of 00:59:59.680 --> 01:00:01.400 forensic data can be obtained from 01:00:01.400 --> 01:00:04.799 encrypted data oh okay okay well this is 01:00:04.799 --> 01:00:07.240 another misperception okay everybody 01:00:07.240 --> 01:00:09.799 knows that when the data is encrypted we 01:00:09.799 --> 01:00:12.640 cannot open the data or the particular 01:00:12.640 --> 01:00:16.079 file document video any kind of Digital 01:00:16.079 --> 01:00:18.520 forening Data let me tell you something 01:00:18.520 --> 01:00:21.000 there are multiple forensic tools that 01:00:21.000 --> 01:00:23.599 have the ability to decrypt the data 01:00:23.599 --> 01:00:26.079 even when we don't have the key this and 01:00:26.079 --> 01:00:28.640 I understand the key component and I 01:00:28.640 --> 01:00:30.039 understand that the two type of 01:00:30.039 --> 01:00:32.599 encryptions symmetric and asymmetric and 01:00:32.599 --> 01:00:34.760 as I said I have multiple Publications 01:00:34.760 --> 01:00:35.960 about 01:00:35.960 --> 01:00:40.160 encryption ER but there is most likely 01:00:40.160 --> 01:00:43.839 always the possibility to encrypt data 01:00:43.839 --> 01:00:47.480 without having the encryption key I 01:00:47.480 --> 01:00:49.559 understand that it doesn't sounds 01:00:49.559 --> 01:00:52.280 popular it's not what we hear every 01:00:52.280 --> 01:00:55.160 single time but when we spend specialize 01:00:55.160 --> 01:00:58.520 on digital forensic we have usually the 01:00:58.520 --> 01:01:01.839 tools we need to decrypt the data 01:01:01.839 --> 01:01:04.319 especially if you are using artificial 01:01:04.319 --> 01:01:07.400 intelligence also in the government at 01:01:07.400 --> 01:01:09.280 least in the US government in my 01:01:09.280 --> 01:01:12.160 operation in the operation I direct I 01:01:12.160 --> 01:01:14.640 handle I supervise we are using 01:01:14.640 --> 01:01:16.480 artificial intelligence for multiple 01:01:16.480 --> 01:01:19.599 things in cyber security since 01:01:19.599 --> 01:01:22.319 2017 and we are also using Quantum 01:01:22.319 --> 01:01:24.760 Computing Quantum Computing is not not 01:01:24.760 --> 01:01:28.839 coming quantum computer is in use in the 01:01:28.839 --> 01:01:31.559 US government for years now so we are 01:01:31.559 --> 01:01:34.520 using Quantum Computing for years there 01:01:34.520 --> 01:01:37.319 are multiple ways to decrypt the data 01:01:37.319 --> 01:01:40.640 when the encryption key is not available 01:01:40.640 --> 01:01:42.720 multiple ways multiple applications as 01:01:42.720 --> 01:01:45.319 well that help with the process it's 01:01:45.319 --> 01:01:47.799 very time consuming but there is a 01:01:47.799 --> 01:01:50.760 possibility for that and this is a great 01:01:50.760 --> 01:01:53.240 question because the question is okay 01:01:53.240 --> 01:01:55.559 how about the hard drive is encrypted 01:01:55.559 --> 01:01:57.760 there is nothing that I can do right no 01:01:57.760 --> 01:02:00.000 this is not like that there is always 01:02:00.000 --> 01:02:02.480 ways to decrypt the data always it 01:02:02.480 --> 01:02:04.920 doesn't matter how strong the encryption 01:02:04.920 --> 01:02:06.960 is but you need to have the appropriate 01:02:06.960 --> 01:02:09.640 tools of place for example I'm going to 01:02:09.640 --> 01:02:13.319 mention just one in case when I present 01:02:13.319 --> 01:02:17.319 this some tools that I suggest before I 01:02:17.319 --> 01:02:20.839 said that in case is very expensive in 01:02:20.839 --> 01:02:24.079 case do magic between quotation man in 01:02:24.079 --> 01:02:26.240 case do multiple things that we don't 01:02:26.240 --> 01:02:28.799 learn in the school 01:02:28.799 --> 01:02:31.760 okay so I can see the other question 01:02:31.760 --> 01:02:33.839 here how to adapt to investigation in 01:02:33.839 --> 01:02:35.880 the cloud since the clouds provided do 01:02:35.880 --> 01:02:38.160 not allow most of important operation to 01:02:38.160 --> 01:02:41.520 access media when you have to do a case 01:02:41.520 --> 01:02:45.400 or conduct digital forensic in the cloud 01:02:45.400 --> 01:02:48.799 the cloud providers 99% of the time I 01:02:48.799 --> 01:02:50.520 don't want to say 100 because I don't 01:02:50.520 --> 01:02:52.960 want to risk on that but usually the 01:02:52.960 --> 01:02:56.480 cloud providers include in the SLA in 01:02:56.480 --> 01:02:58.520 the service level agreement what is 01:02:58.520 --> 01:03:01.599 going to happen if a digital forensic or 01:03:01.599 --> 01:03:04.160 any kind of Investigation needs to do 01:03:04.160 --> 01:03:08.079 needs to be performed in the cloud space 01:03:08.079 --> 01:03:11.079 so most likely the cloud operator is 01:03:11.079 --> 01:03:13.599 going to facilitate access to everything 01:03:13.599 --> 01:03:16.359 you need sometime you have to move and 01:03:16.359 --> 01:03:19.319 go physically to the place in which the 01:03:19.319 --> 01:03:20.960 data is 01:03:20.960 --> 01:03:23.480 host don't believe that the cloud 01:03:23.480 --> 01:03:25.640 provider doesn't know where the data is 01:03:25.640 --> 01:03:28.920 host we know where the data is host 01:03:28.920 --> 01:03:31.400 specifically I have been in San Diego 01:03:31.400 --> 01:03:34.119 California and another States in Hawaii 01:03:34.119 --> 01:03:35.799 back in 01:03:35.799 --> 01:03:38.440 2019 as well doing forensic 01:03:38.440 --> 01:03:40.839 investigation in a cloud environment it 01:03:40.839 --> 01:03:43.079 was actually for something government 01:03:43.079 --> 01:03:46.480 related and I was given the permission I 01:03:46.480 --> 01:03:49.279 need to do any kind of Investigation so 01:03:49.279 --> 01:03:52.000 Cloud providers facilitate forensic 01:03:52.000 --> 01:03:54.640 analysis because forensic analysis are 01:03:54.640 --> 01:03:58.079 usually related to legal cases there are 01:03:58.079 --> 01:04:01.039 multiple cases in which in USA we don't 01:04:01.039 --> 01:04:02.760 have access to this data and I'm going 01:04:02.760 --> 01:04:06.599 to mention an example Tik Tok Tik Tok 01:04:06.599 --> 01:04:08.640 the problem between the US government 01:04:08.640 --> 01:04:11.839 and Tik Tok is that when Tik Tok get the 01:04:11.839 --> 01:04:14.839 authorization to operate in USA the 01:04:14.839 --> 01:04:18.559 government was one step behind behind 01:04:18.559 --> 01:04:21.079 Okay and we don't regulate Tik Tok at 01:04:21.079 --> 01:04:25.200 this point Tik Tok has the ability to 01:04:25.200 --> 01:04:28.279 prevent forensic investigation in the 01:04:28.279 --> 01:04:31.400 Tik Tok platforms for the US government 01:04:31.400 --> 01:04:34.599 cour system or legal system okay but 01:04:34.599 --> 01:04:37.680 again usually Cloud providers facilitate 01:04:37.680 --> 01:04:40.760 investigation in the cloud 100% they 01:04:40.760 --> 01:04:43.240 cooperate in every single manage they 01:04:43.240 --> 01:04:48.000 have to facilitate the forensic 01:04:49.799 --> 01:04:51.720 investigation thank you for answering 01:04:51.720 --> 01:04:53.880 that question uh we'll take last 01:04:53.880 --> 01:04:56.839 question for the day uh what is the best 01:04:56.839 --> 01:05:00.279 open source free tools for social media 01:05:00.279 --> 01:05:03.559 forensics there is no best open source 01:05:03.559 --> 01:05:05.640 tool that is a combination of tools 01:05:05.640 --> 01:05:08.559 number one digital forensic cannot be 01:05:08.559 --> 01:05:10.640 performed categorically speaking with 01:05:10.640 --> 01:05:14.520 one or two tools this is a complex time 01:05:14.520 --> 01:05:18.240 consuming and expensive process I made 01:05:18.240 --> 01:05:21.160 some suggestions it's included in the 01:05:21.160 --> 01:05:26.079 slide ER let me see a slide 01:05:27.319 --> 01:05:29.400 slide 01:05:29.400 --> 01:05:31.000 number 01:05:31.000 --> 01:05:34.119 16 okay this is the slide in which I 01:05:34.119 --> 01:05:37.400 include in case autopsy the S some of 01:05:37.400 --> 01:05:40.520 them are upper cases as I I'm sorry open 01:05:40.520 --> 01:05:43.359 source as I mentioned before but there 01:05:43.359 --> 01:05:46.039 is not a particular tool or two or three 01:05:46.039 --> 01:05:48.119 tools that I will recommend because in 01:05:48.119 --> 01:05:52.319 top of that every single forensic 01:05:52.319 --> 01:05:54.640 investigation is about the different 01:05:54.640 --> 01:05:57.440 process you cannot use the similar tools 01:05:57.440 --> 01:06:00.720 this is why there are very at least in 01:06:00.720 --> 01:06:04.400 USA very small amount of organizations 01:06:04.400 --> 01:06:07.039 companies that specialize in digital 01:06:07.039 --> 01:06:10.440 forensic as my company does the reason 01:06:10.440 --> 01:06:13.520 why is because between many other things 01:06:13.520 --> 01:06:15.920 lack of expertise and 01:06:15.920 --> 01:06:19.240 expenses okay so I do not recommend a 01:06:19.240 --> 01:06:21.799 particular tool instead the combination 01:06:21.799 --> 01:06:24.440 of tools there are multiple open source 01:06:24.440 --> 01:06:27.799 I mention a few in a slide number 16 of 01:06:27.799 --> 01:06:30.760 my PowerPoint presentation but again 01:06:30.760 --> 01:06:33.279 those are not sufficient those are the 01:06:33.279 --> 01:06:35.559 most popular and 01:06:35.559 --> 01:06:39.480 strong ER more accurate uh tools that 01:06:39.480 --> 01:06:41.760 you can use for digital forensic but a 01:06:41.760 --> 01:06:43.680 particular tool one or two to do 01:06:43.680 --> 01:06:47.160 forensic investigation it doesn't exist 01:06:47.160 --> 01:06:49.839 is impossible 01:06:51.720 --> 01:06:54.039 doesn't thank you again to our wonderful 01:06:54.039 --> 01:06:56.000 speaker Dr Lewis for answering those 01:06:56.000 --> 01:06:57.960 questions and for the great presentation 01:06:57.960 --> 01:06:59.720 and knowledge shared with our Global 01:06:59.720 --> 01:07:01.720 audiences it was a pleasure to have you 01:07:01.720 --> 01:07:03.559 with us and we are looking for more and 01:07:03.559 --> 01:07:05.200 more sessions with you before we 01:07:05.200 --> 01:07:06.880 conclude the webinar Dr LS would you 01:07:06.880 --> 01:07:08.240 like to give a small message to our 01:07:08.240 --> 01:07:10.680 audiences 01:07:10.680 --> 01:07:14.160 please well no just want to thanks 01:07:14.160 --> 01:07:16.760 everybody again the one that work 01:07:16.760 --> 01:07:21.160 tiously behind the presentation to you 01:07:21.160 --> 01:07:23.559 in e Council as always thank you very 01:07:23.559 --> 01:07:25.440 much for the support for all the 01:07:25.440 --> 01:07:28.000 attendees I hope you learn something new 01:07:28.000 --> 01:07:31.559 let me clarify that every single content 01:07:31.559 --> 01:07:34.160 wording words Etc that I have been 01:07:34.160 --> 01:07:36.559 presenting for you is my original 01:07:36.559 --> 01:07:39.119 creation 100% not 01:07:39.119 --> 01:07:42.920 99.99 but 100% categorically speaking 01:07:42.920 --> 01:07:44.960 and I put together those notes and 01:07:44.960 --> 01:07:47.960 reflection for you guys with the hope 01:07:47.960 --> 01:07:49.440 that you can come back to your 01:07:49.440 --> 01:07:52.359 organization and ser better that you can 01:07:52.359 --> 01:07:54.760 become a public servant 01:07:54.760 --> 01:07:57.119 ER and go to the court and testify in 01:07:57.119 --> 01:08:00.799 favor of the park that deserve your 01:08:00.799 --> 01:08:03.599 benefits and I sincerely thank you for 01:08:03.599 --> 01:08:05.599 the opportunity to share my expertise 01:08:05.599 --> 01:08:08.640 with you guys have a nice weekend okay 01:08:08.640 --> 01:08:10.200 thank you very much for the time in 01:08:10.200 --> 01:08:13.160 question thank you so 01:08:14.279 --> 01:08:16.920 much thank you so much Dr Louis for your 01:08:16.920 --> 01:08:19.120 message before we end the session I 01:08:19.120 --> 01:08:20.479 would like to announce the next cyber 01:08:20.479 --> 01:08:23.040 talk session why are strong foundational 01:08:23.040 --> 01:08:24.759 cyber securities skills essential for 01:08:24.759 --> 01:08:26.960 every IT professional which is scheduled 01:08:26.960 --> 01:08:29.279 on November 8 2023 this session is an 01:08:29.279 --> 01:08:31.439 export presentation by Roger Smith 01:08:31.439 --> 01:08:34.279 director car Managed IT industry fellow 01:08:34.279 --> 01:08:36.719 at Australian Defense Force Academy to 01:08:36.719 --> 01:08:38.359 register for this session please do go 01:08:38.359 --> 01:08:40.399 visit our website 01:08:40.399 --> 01:08:43.439 www.ccu.edu cybert talks the link is 01:08:43.439 --> 01:08:45.279 given in the chat section hope to see 01:08:45.279 --> 01:08:48.000 you all on November 8th with this VN the 01:08:48.000 --> 01:08:49.880 session with this you may disconnect 01:08:49.880 --> 01:08:52.080 your lines thank you thank you so much 01:08:52.080 --> 01:08:55.238 Dr leis pleasure having you 01:08:55.238 --> 01:08:57.319 likewise thank you very much for the 01:08:57.319 --> 01:09:01.920 opportunity thank you have a good day