Hello, everyone, and welcome to today's session on digital forensics: best practices from data acquisition to analysis. I'm Shilpa Goswami, and I'll be your host for the day. Before we get started, we would like to go over a few house rules for our attendees. The session will be in listen-only mode and will last for an hour, of which the last 15 minutes will be dedicated to Q&A. If you have any questions during the webinar, for our organizers or speakers, please use the Q&A window. Also, if you face any audio or video challenges, please check your internet connection or you may log out and log in again. An important announcement for our audience: we have initiated CPE credit certificates for our participants. To qualify for one, attendees are required to attend the entire webinar and then send an email to cyber talks at eccouncil.org, after which our team will issue the CPE certificate. Also, we would like to inform our audience about the special handouts. Take a screenshot of the running webinar and post it on your social media, LinkedIn or Twitter, tagging EC Council and Cyber Talks. We will share free handouts with the first 15 attendees. As a commitment to closing the cybersecurity workforce gap by creating multi-domain cyber technicians, EC Council pledges $3,500,000 towards ECT Education and Certification Scholarships to certify approximately 10,000 cyber professionals ready to contribute to the industry. Did you know that you can be part of the lucrative cybersecurity industry? Even top companies like Google, Microsoft, Amazon, IBM, Facebook, and Dell all hire cybersecurity professionals. The cybersecurity industry has a 0% unemployment rate. The average salary for an entry-level cybersecurity job is about $100,000 per year in the United States. Furthermore, you don't need to know coding, and you can learn from home, and you get a scholarship to kick-start your career. Apply now. EC Council is pledging a $3,500,000 CCT scholarship for cybersecurity career starters. Scan the QR code on the screen to apply for the scholarship. Fill out the form. Now, about our speaker Dr. Luis. Dr. Luis Noguerol is the Information Systems Security Officer for the U.S. Department of Commerce, NOAA, where he oversees the cybersecurity operation for six states in the Southeast Region. Dr. Luis is also the President and CEO of the Advanced Division of Informatics and Technology, Technology INC, a company that focuses on data recovery, digital forensics, and penetration testing. He is a world-renowned expert in data recovery, digital forensics, and penetration testing. He holds multiple globally recognized information technology and cybersecurity certifications and accreditations and is the recipient of multiple awards in technology, cybersecurity, and mathematics. He currently serves pro bono as an editorial board member and reviewer for the American Journal of Information Science and Technology, and is a member of the prestigious high-edging professor program for undergraduate and graduate programs at multiple universities in the U.S. and as a reviewer for the doctoral program at the University of Karachi in Pakistan. He is the author of multiple cybersecurity publications and articles, including Cybersecurity Issues in Blockchain: Challenges and Possible Solutions. He is also one of the co-authors and reviewers of the worldwide acclaimed book, Intrusion Detection Guide. Prior to obtaining his doctorate degree in Information Systems and Technologies from the University of Phoenix, Dr. Luis earned a Bachelor's in Science and Radio Technical and Electronic Engineering, a Bachelor of Science in Telecommunications and Networking, and a Master of Science in Mathematics and Computer Science. Without any further delay, I will hand over the session to you, Dr. Luis. Thank you very much. Thanks. Okay. Good morning, everybody. Good afternoon, and good night, depending on the specific area in which you reside. We are going to have an interesting conversation today about digital forensic best practices from data acquisition to analysis. This is the title of the presentation or subject, and I’m more than happy to be here with you all and share some of my expertise. So, let's go ahead and start the conference, okay? She already mentioned some of my credentials. I have been working in cybersecurity at this point for over 41 years. This is in my DNA, a topic that I didn’t like and respect as much as I cannot talk about any other topic in my life. Before we go, I have here a statement that I put together for you, okay? Digital forensic best practices. Well, consideration number one: just to break the ice in the labyrinth of cyberspace, where shadows dance through encased passages and data whispers its secrets, the digital detective emerges. This is us, the digital forensic experts. Clad in lines of code and armed with algorithms, we seek the hidden treasures of truth and solving enigmatic cybercrimes. With a visual magnifying glass, this is what we do: we dissect the digital tapestry, unveiling the footprints of elusive cyber cultures. This is what cyber forensics, or digital forensics, is about. Each keystroke and pixel holds a clue, something that we can use in our favor. And in this mesmerizing world of the digital era, ones and zeros, the art of digital forensics is about finding the secret of the digital reality. Digital forensics is about finding evidence that can lead to a particular process. It can be a legal process, or it can be any other kind of process. But what is digital forensics from my point of view? Well, I mentioned earlier that I've been working in cybersecurity for 41 years. My specialties are in penetration testing, data recovery, and digital forensics. I’ve been working for the police department in multiple places doing digital forensics for them. So I try to put together an easy definition for you from my standpoint about what digital forensics is. Digital forensics investigates digital devices and electronic data to use as evidence. Please note that I don’t say electronic information; I use the word "data" intentionally to understand digital events and trace illicit activities. This is a key component of digital forensics. Normally speaking, digital forensics happens, of course, after the facts, and the idea of digital forensics is identifying traces, okay, that lead to particular data that we can gather together and make a conclusion. It involves the systematic collection, preservation, analysis, and presentation of digital evidence in legal proceedings. This is key today because we are technology-dependent, and there are multiple states, at least in the USA and some other countries, where digital forensics is still in limbo because it's not accepted in the court of law. Okay. So, this is very important to keep in mind. What are we going to do from the digital forensics standpoint, the data collection process, and the analysis? Digital forensics experts use specialized techniques and tools to extract data from computers, smartphones, networks, and digital storage media to support investigations and resolve legal matters. So this is basically what digital forensics is about. Let's go ahead and start with the technical part, which is the topic I like most. Okay, let's talk about those 30 best practices that I’ve put together for you. At the end of the presentation, you will have the opportunity to ask as many questions as you like. 1. You have to follow the legal and ethical standards: For this particular first point, I am not going to make any comment. I believe that ethics is a key component of cybersecurity. We always have to follow the rules. We must always follow the legal procedures in the places in which we operate because every single place is a different component. 2. Understand the original evidence: This is key. Okay. You always have to maintain the integrity of the original evidence to ensure it is admissible in court. Any kind of manipulation or modification will result in disqualification from the court system. Document everything: This is something that technical people like me don’t like too much, but when it comes to digital forensics, we have to document every single step we take. We have to record all the steps we follow, and we want to make sure that everything is documented and recorded in a specific chronological order. This is a key component for digital forensics or investigations to be accepted in the court of law. Secure the scene: It’s not just physical crime scenes that need to be secured to prevent contamination or tampering. If you present anything in court and the opposing party has the ability to prove that something was not preserved, the conversation is over. Chain of custody: I’m going to repeat this more than once during the presentation. Sorry. Chain of custody refers to how you establish and maintain the evidence and the process that facilitates how the tracking process is handled. Use-Write- Blocking Tools: This is another key component of digital forensics. It means that you have to use the appropriate hardware and software that allow for write blockers when you are collecting data to prevent alteration. There are a set of tools you can use, and at the end of the presentation, I’m going to provide you with a specific set of tools you can use as write-blocking tools. Verify hashing or hash values. This is how you calculate and compare hash values to verify the data's integrity. There is often confusion about integrity, confidentiality, and availability. In digital forensics, the most important component is integrity. It means that we must make every effort to ensure that the data is not modified in any possible way, from the time we arrive at the scene to the time we present the evidence in court and even after that as well. So other component is Collect volatile data first. Okay, this obviously makes perfect sense. You have to prioritize this type of data collection as it can be lost or modified when the system is powered down. For many of you, what I’m going to tell you may sound not appropriate, and this is the following assessment: we've been told from the time we arrived at school and even at work that information or data in random access memory (RAM) disappears when the computer is shut down. Back in 2019, I made a presentation similar to this one for this account, in which I proved that the data in RAM can be recovered. Okay. So, what we have been learning in multiple places, and what you can easily find on Google, that data in RAM is lost when computers are powered down, is not exactly correct. The other component is Forensic image. You have to create a forensic image of storage devices to work with copies. You must always present the original evidence. This is a requirement in the court of law. You must present the original evidence every single time. The other component is the Data recovery. Data recovery is closely associated with digital forensics for obvious reasons. Okay. You have to employ specialized tools to recover deleted or hidden data. This is also something to keep in mind. At the end, I'm going to provide some specific applications you can use to do data recovery. Timeline analysis: You must construct and analyze timelines to understand the sequence of events. What happened first? The chronological order is a mandatory requirement in the court of law. You cannot present evidence in court in a random manner. You have to follow the specific chronological order. The other consideration is Preserving the metadata. Ensure metadata integrity to verify results, timing, and authenticity of the digital artifacts you are going to present in the court of law. Use known good reference data: This means you have to compare the collected data with known good reference data to identify anomalies, specific patterns, and statistical processes. Many times, you have to do this as well. Antiforensic awareness: You have to be aware of the antiforensic techniques in use. There are multiple applications that work against digital forensics. So, you must be aware of that. Before you start digital forensics analysis, while working on the data collection process, you want to make sure you don't have any anti-forensic tools or applications installed on the particular host or hosts in which you are going to conduct the investigation. Another very important component is Cross-validation. This is what brings actual reputation and respect to the data you are presenting in the court of law. Okay? So the standard operating procedures are a very important component that is oftentimes overlooked, and it's about developing and following SOPs that maintain consistency. This is why documentation is key, and it was presented in slide number one. Training and certification are also important components, and this is relevant. The reason why it's relevant is that I understand you can learn many things by yourself. This is becoming more popular as we become more technology-dependent. This is normal and expected, but certifications still hold particular value. There are multiple questions in certification exams, in general terms, not only in EC-Council certifications or others, in which, most likely, if you don't go through the certification process, you will never find out. And this is what some people say: "Well, this is theoretical information." Digital forensics involves a lot of theoretical information-- A LOT. Remember that we are doing the analysis at a low level, from the technical standpoint. So theory is extremely important and relevant when we do forensic investigations--digital forensics. The same happens with medical doctors. When medical doctors do a forensic analysis of a body of someone who passed away, they also employ a lot of theoretical knowledge they have been accumulating. Digital forensics is no different. The other consideration is expert testimony. Okay? I, for example, live in Miami, Florida, in the USA, and I am one of the 11 experts certified by the legal system in the 11 districts. This means that when you go to court, you have to be classified as an expert in order to provide comments and evidence. Otherwise, you will probably not be able to speak in court, as what we say in court is relevant for the case. And with our wording or statement, along with the evidence we provide, we have the ability to put somebody in jail or release this person from jail. So, this is extremely important. Okay? So, evidence storage is one of the most important components. Your opponent in court or in your company will try their best to challenge what you are presenting. So, you have to safely store and protect evidence to maintain its integrity. Integrity is the most important characteristic or consideration in digital forensics-- without any other factor coming close. So, integrity is everything in digital forensics. Okay? Data encryption: There are multiple cases in which you will do digital forensics on encrypted storage devices, encrypted data, or encrypted applications. You need to develop the ability to handle encrypted data and understand the encryption methods. Among the publications I have, I have over 25 publications on different topics and concepts within security. A few of them, probably five or six, are specifically about encryption. If we want to do digital forensics, we must become data encryption experts. There is no other way. I understand that many people don’t like math, statistics, physics, etc., but this is a requirement for doing an appropriate digital forensic assessment. It’s a necessity today. Okay? The other consideration, and this is for the people who love technology like me attending or watching this conference, is network. I am a big fan of networks. I have been working in networking for 41 years. My doctoral degree is in telecommunications and cybersecurity. So, networking is in my DNA. I love networking more than any other topic in information technology. Network analysis is the ability to analyze network traffic logs and data to trace digital footprints. I’m pretty sure everyone has a tool of mine, and, of course, this tool is most likely part of the tools I’m going to provide in the last slide for you. But network analysis today, from a digital forensics standpoint, is everything. Everything is network-related in one or another way. Malware analysis: We need to develop the ability to understand malware behavior and analysis and how those malwares impact systems. This needs to be incorporated as part of the cybersecurity analysis when performing digital forensics today. Cloud forensics: I don’t have to highlight how important cloud operations are. Okay? We are moving operations to the cloud, and for those still running operations on-premises, there is a high expectation that sooner rather than later, you will move operations to the cloud for multiple conveniences. However, the configuration at this point does not fully benefit all aspects of the cloud. From a forensic standpoint, when you do cloud forensics, the situation is a little different from on-premises investigations. So, you have to adapt methodologies for investigating data in the cloud, regardless of the cloud provider. Here, as a matter, you can see AWS, Google, Azure, or anyone else. The operation in the cloud is somehow different from a digital forensics standpoint, starting with how you access the data. Remote forensics: Remote forensics is the opportunity to develop skills for collecting and analyzing data from a remote location. This is happening more frequently now as we become more telework-dependent. In multiple cases--my own company, for example, knowing my job with the government, but owning my own company--I have been doing more remote digital forensics in the last two, three years, probably two years. Digital forensics that than probably ever before in my life. So, this is an important skill to develop as well. Case management: This is how we use digital forensics case management to organize and track investigations. I mentioned to you that I go to court very often--more often than I want, very, very often. Okay. And they scrutinize every single protocol you present, every single artifact, every single document, and the specific chronological order. This is a complex process. It’s not just collecting the data, performing the digital forensics analysis, and going to court to testify. Okay? The process is much more complex than this. Collaboration: Collaborate with other experts and there's one in the middle that I'm going to highlight in a few. Collaborate with other experts, law enforcement, or organizations for complex cases. Cases are different from one another. Of course, this is okay, and I know you know that. Okay? But you have some cases sometimes in which the forensic analysis becomes very complex. In those particular cases, my advice is to collaborate with others. Okay? You do better when you work as part of a team and not when you work independently. I’ll skip the data privacy compliance for a minute because this is relevant. Every single state, every single... No exception. A state court operates on the different requirements. So, you want to make sure that you follow the privacy regulations in your specific place. Okay? And by the way, I'm going to ask you a question. I'm not expecting any response. But the question is: by any chance, do you know the specific digital forensic regulations in the place you live? Ask yourself this question, and probably some of you are going to respond "no." This is a critical thing. Continuous learning: You need to keep asking about what we do. Okay? Cybersecurity is an specialization of IT. From my point of view, it's the most fascinating topic in the world. This is the only topic I can talk about for 25 hours without drinking water. This is my life. I dedicate multiple hours every single day, seven days a week, even when it creates some personal problems with my family, etc. This is in my DNA. I encourage each of you, if you are not doing so, to dedicate your life to become a digital forensics expert. Digital forensic is one of the most fascinating topics in the planet. Okay. And you want to be attentive to these type of things. Report and presentation: When you go to the court or when you present your outcomes of all the digital forensic outcomes to your organization, you want to make sure that you use clear language, you are concise, and you are ready for the presentation questions and answers. You never want to go to the court unprepared. Okay? Never in your life. This is not appropriate because, at the end your assessment, you have the possibility to put somebody in jail or somebody will be fired from the organization or not. So what we said is relevant. Our wording has a huge impact in other people's lives. It's important to be attentive to that. One of the most relevant topic that I have been using in my practice is the use of artificial intelligence in digital forensic. Since 2017, this is not a topic that is well known. At this point, the reason why I really want to share my experience-- practical experience with you guys, digital evidence analysis, how artificial intelligence can help us. Well, everybody knows that we have multiple applications that we can use in order to analyze the different kind of media that can be generated. For example, text, image, and videos, artificial intelligence studies have the ability to detect and flag potential relevant content for investigations, especially from the timing standpoint. Digital forensic is extremely time consuming, very, very time consuming and complex. This is probably along with data recovery the most complex specialization in cybersecurity. So the use of artificial intelligence, in our favor, is very convenient. And at the end, I'm going to include as well or actually I included in the list a particular artificial intelligence tool that you can use in your favor. The other use of artificial intelligence is pattern recognition. Artificial intelligence can identify patterns in data, helping investigators recognize anomalies or correlations in digital artifacts that may indicate criminal activity. Out of the whole sentence, the most important question is: "What is the key word?" The key word, correlation. How do we correlate data by using artificial intelligence? The process is going to be simplified dramatically. Speaking based on my personal experience, the other component is NLP. This can be used to analyze text-based evidence, including logs and emails, to uncover communication patterns or hidden minutes. A lot of evidence that we collect, about 65%, is included in emails, chats, documents, etc., so this is when NLP plays a predominant role in artificial intelligence in the digital forensic analysis for image and video analysis. It provides incredible benefits. Okay? You have the ability to analyze multimedia content to identify objects, people, and potentially illegal or sensitive content. I’m sure a word is coming to your mind right now, steganography. Yes, this is part of steganography, but it's not similar to doing steganography by using a particular application. When you employ artificial intelligence tools that are dedicated exclusively to digital forensics, the benefit is really awesome. Predictive analysis: Machine learning models can predict potential areas of interest in an investigation, guiding forensic experts to focus on critical evidence. Imagine that you are analyzing a hard drive that is one terabyte holds a lot of documents, videos, pictures, sounds, etc. You know that, right? If you are attending this conference, it’s because you are very familiar with information technology, cybersecurity, and digital forensics. Well, how do you find the specific data you need to prove something in a court of law? You have to be very careful about the pieces of data you pick for the analysis, otherwise, your assessment is not appropriate. And again, every single word we say in a court of law or in the organization we are working for is relevant. It implies that probably somebody will be in jail for 30 years, or probably somebody, if we’re talking about a huge crime like an assassination or child pornography abuse, will face consequences like death. Our assessment is critical. Okay? We become the main players when digital forensics is involved. We have to be very careful about the way we do it. This is not a joke; it's very serious. Okay? Predictive analysis, machine learning models, or artificial intelligence are pretty close in this concept and can predict potential areas of interest in an investigation. But we also talk about detection. Artificial intelligence driving security tools can identify cyber threats and potential cybercrime activities, helping law enforcement and cybersecurity teams respond effectively and proactively. More importantly, the majority of us have multiple tools that we call proactive in our place of work. Okay? We have different kinds of monitors, etc. But the possibility to do something in a proactive mode is really what we want. Evidence authentication: Artificial intelligence can assist in the authentication of digital evidence, ensuring its integrity and the possibility of this data being admitted in court. Data recovery: Artificial intelligence helps with the recovery of data that has been deleted intentionally or unintentionally. It doesn't matter. When we do digital forensics, we want to have as much data as we can to make a case against a particular party. From the malware analysis standpoint, artificial intelligence brings a lot of speed, and this is needed because, again, you are looking for a needle in a ton of water or in a ton of sand, and this is very complex. From the network forensic standpoint, we are accustomed to using tools such as Wireshark, which everybody knows, well, anyway, there are now specific artificial intelligence tools for network forensic analysis. I have included two of those tools in the list on the last slide. Automated trace: This is one of the most important considerations for you to consider with artificial intelligence in digital forensics. Speed is key. It’s basically the ability to do correlation between large data sets. Case priority: Artificial intelligence can assist investigators in prioritizing cases based on factors like severity, potential impact, or resource allocation, meaning timing. Predictive policing: This is super important because, until today, digital forensics has always been reactive. We react to something that happened. The possibility to make predictions in digital forensics is fantastic. It has never happened before. This is new, at least for me. I started using artificial intelligence back in my own company in 2017, and I have been able to that in multiple cases for the police department in Miami and in other two cities in Florida: Tampa and St. Petersburg. The results have been amazing. Document analysis: You know that NLP can extract information from documents and analyze sexual content for investigations. Artificial intelligence dramatically minimizes the time needed for that. Emotional recognition: Everybody knows what happened with the DSP algorithms. Okay? So we can use artificial intelligence to analyze videos, which is awesome because our eyes, our muscles in our eyes, don't have the ability to lie. We can lie when we speak, or we can try, but our eyes’ reactions to a particular stimulus cannot be hidden or cannot be modified. So this is unique. From the data privacy and compliance standpoint, you also have the ability to automate the specific data you want to include as part of your report. Okay? Now, digital forensic data acquisition steps: From my standpoint, after 41 years of experience, preservation--we already talked about this. Documentation: Preservation is integrity. Okay? This is the most important consideration, categorically speaking, in any kind of digital forensic investigation. You have to preserve the data as it is. And remember, you never use the original data for your forensic analysis—-never. You always use a copy. And to do copies, you have to use bit-by-bit applications. Bit-by-bit—you cannot copy bytes, or you cannot copy data and forget about the information. So, preservation is the most important thing. Documentation: We already know that everything needs to be documented, okay? From the crime scene to the last point. Chain of custody: One more time, and I guess I’m going to mention this one more time because chain of custody means or opens the door for you to present a case in the court of law or to prove, in your organization, that what you are presenting is appropriate. You have to plan how you are going to collect the data. You have to plan with anticipation. The specific tools you are going to use. What methods are you going to consider? In your data collection process, this is relevant, and you always have to consider it. The comms. Comms is probably more important than PR when you select or decide to use a particular application for data acquisition. You always want to focus on the negative. People usually tend to talk about the positive--oh, I like why the Shar because this and that. I It's better that you focus on the negative. In Information Technology, everything has a cross and comes; no exceptions. Exceptions do not exist. There is not one exception. Everything positive has something negative in Information Technology, and this is what you want to focus on to avoid problems in the end. Okay, so... How about the verification process? You have to verify, before you work with the real data, that the tools and methods you selected work. Okay? You never want to mess up with the original data. You need to work with a copy. You want to test in a test environment: your tools, your methods, your approach. The steps you are going to follow are very time-consuming. It is, but by the way, it's also very well-paid. It's very well-paid. The only thing I can tell you is that it's very well-paid. You have no idea. If you become a cybersecurity expert and specialize in digital forensics, this is where the money is, and trust me, this is where the money is. Okay, I'm telling you from first person. Duplication-- we've talked about that already. The only way to do that is by creating a bit-for-bit image. There are no other ways. Okay, this is why you want to use PR blocking devices, software, and hardware. I mentioned that before. Text rooms and hashing--different concepts that some people are still confused about. Okay? There is a huge difference between the two. The main one is that hashing is a one-way function. You go from the left to the right, and usually, you don't have the ability to come back to replicate the process. Of course, if you have the algorithms on hand, then you can do reverse engineering. This is obvious, but this is not what happens under regular conditions. Okay, so checksum and hashing both minimize the possibility that you make a mistake in your digital forensic analysis. The other component is acquisition. Okay, so how are you going to collect the data? What particular tools are you going to use? You always have to maintain strict R-only access to the source. If you have the ability to manipulate the data in the source, you have the ability to tamper with it. Actually, the most important consideration out of the CIA, which is integrity, if the opponent is the opposite part to you in your organization, the defendant, in other words, has the ability to prove that the original data or source can be manipulated in any way, the conversation is 100% over, and the case will be dismissed. Categorically speaking, there's no more conversation. So this is a humongous responsibility when it comes to data acquisition. What protocols you use, what the specific tools are, how you plan it, and how you document it is a very painful process, in other words. Okay, now data recovery--we already talked about the complexity of finding a needle in a ton of S. This is super complex, okay? But it's doable. The only thing you have to do is use the appropriate tools, and you need to have a specific plan because every single case is 100% different. Digital signatures sign the acquired data and hash it with a digital signature for authentication. There are multiple cases today in which digital signatures are not accepted anymore. In the government, I am a federal officer for the U.S. Department of Commerce in the USA. In the government, we are not allowed to sign anything by hand for many years back. Many years, okay? Digital signatures have a specific component that minimizes, dramatically speaking, the possibility of replication, and this is why this is accepted in a court of law. Verification verifies the integrity of that acquired image by comparing hash values with those calculated before. The hash values must be exact. No difference, not even by 0.001%. Much, 100% categorically speaking. Otherwise, the court is going to dismiss the case as well, or the organization probably isn't going to take the appropriate action versus a particular individual or problem or process. Okay, LS and no--we already talked about documentation at the beginning. You have to actually make sure that everything is timestamped. As I mentioned before at the beginning, digital forensics must be collected in a particular order, analyzed in a similar manner, and presented in the report in the specific order in which the process was done. Otherwise, the process is going to be disqualified, and this is exclusively at this point our responsibility, and nobody else’s. Okay, the storage--we already know that chain of custody is one of the most important components. There are multiple forms depending on the state in which you live and the countries as well, that you have to follow. Anything--if you miss a check mark or if you put a check mark on those particular forms--you are basically dismissing the case. You intentionally... the court doesn’t work in the way many of us believe. Okay, we have the possibility to put somebody in the electric chair or to release or provide this particular individual or organization what we said is relevant. Okay? This is very important. The brief-- you always have to be in communication with all parties, both the one presenting the digital process or ruling the process and the other party as well. You cannot hide anything--Zero--from your opponents in the court of law or for the defendant's part. Never in your life. This is why the first bullet in the whole presentation was, as you may remember, ethics. Okay, in digital forensics, we provide what we know to the other parties as well, even to the defendant, to the opponents, every single time. No exception. And we provide every single artifact with the most clear possible explanation to the opponents. This is how the digital forensic process works. Otherwise, it will be dismissed as well in court. Steing, you have to make sure that every single piece of digital evidence is properly stored and that you follow the process by the book. Again, if you skip one step, just one out of 100 or 200s depending on the case, the case is going to be dismissed. No exceptions. The code goes by the book, as you can imagine, and your opponent is going to be very attentive to the minimum possible failure to dismiss the case. Okay, so how do you transport the data from one place to the other place? Chain of custody--this is the key component. Chain of custody, data encryption--you have to make sure that you prevent, or actually, pro-prevent integrity manipulation, and you always want to ensure the confidentiality of the data (CIA). We already talked about the components: confidentiality, integrity, and availability. From the digital forensic standpoint, the most important--no exception--is integrity, and also confidentiality. Okay, so from the recovery image standpoint, you always want to have a duplicate for validation and reanalysis. Remember that you always want to work with a copy of the digital evidence 100% of the time, no exceptions. You have to preserve the original evidence. This is part of our responsibility, and this is why we do bit-by-bit analysis and bit-by-bit copy. It's complex. Okay, now a specific step in digital forensics is to analyze the collected data. At this point, you already went through multiple processes and spent a lot of time. How do you analyze the data you have? Because you are going to have probably terabytes of data. Okay, well, you have to make sure that hashing and digital signatures and the chain of custody have been followed. Data prioritization--what happens and what is more relevant? You cannot present in the court two terabytes of data or 2,000 pages. This is irrelevant for the case. Okay, you have to make sure that you use keywords in order to provide a solid report to the court for this particular case. For the keywords, artificial intelligence has been proven to be of huge help. File carving--you have to use a specialized tool to recover files that may have been deleted or are intentionally hidden. Timeline analysis-- we talked about it. You have to do everything by following a particular sequence of activities. In other words, you have to present and do the analysis in chronological order, in the way that you collect the data. This is the exact way you do the analysis, and later you do correlation. Okay, but you have to follow a particular chronological order. Data recovery--you have to do your best to reconstruct the data that has been deleted or probably damaged, even by physical or electronic conditions in the storage media. The metadata analysis is also complex. Okay, this is the next component after the timeline analysis. Metadata includes multiple kinds of data, so this part of the analysis is going to be more complete and more time-consuming than the data collection, and the data collection is already very time-consuming. Content analysis--you have to be very careful because this is basically what the forensic analysis is. Parent recognition--how you can match one bit of data with another bit. Okay? Is there any association between bits, between bytes, between data, between words? This is an ideal component. Communication analysis--again, you want to make sure that you include everything. Emails today are probably the most relevant component of digital forensics analysis. You want to make sure that you master email analysis as well. Data encryption--you always have to keep in mind the confidentiality, and when we are talking about the recovery or the recovery image, I mentioned that as well, similar to the chain of custody before, because you always have to preserve the the original data. Evidence examination--you want to make sure that you verify the integrity of the data you have been acquiring, including hash values, digital signatures, and the chain of custody. We talked about this already. This is a repeat of the slide, by the way. Okay, so database examination--you’re forgoing a duplicate slide, so this slide is the same as this one. My apologies for that, it's my fault. Database examination--investigate databases for valuable information, including structured data, logs, entries, etc. Media analysis--this is a very complex process because it's usually about atigo or includes testigo, and this is about images, videos, audios, geolocation, and digital signatures. Network traffic analysis tools, as well as the Shar, h--but my suggestion is that you use all the tools that are part of the artificial intelligence applications we can use today and are available in the market. Estigo is always complex, okay? Because estigo includes not only images but, in many cases, audio as well, and this is very complex, time-consuming. You always want to make sure that you use the appropriate estigo analysis techniques, and there are multiple specific techniques for volatile analysis. As I mentioned before, there are multiple ways to do data acquisition from RAM memory. When we turn off the computer, all the data from RAM doesn’t go off. This is what everybody says. This is what Google says. This is what people who have never done forensic investigations repeat. This is not appropriate if you know how to do it. Again, I made the presentation for EC Counsel in 2019. If you Google my name and this presentation, you will be able to find a particular video in which I was able to recover data from RAM memory after the computer was taken down. Believe it or not, go for the other presentation that this is EC Counsel Database, and you will be able to see the video. Okay, comparison--you have to cross-reference every single time to make sure that the data you identify is appropriate, and you always identify deviations and inconsistencies before you do the final report. I told you already, when you present the report in the court of law, any minimum mistake, something minimal, will disqualify the case. For example, in this presentation, I included IED by mistake. This slide and this slide. If I do that in the court of law, it's dismissed. Okay, that's it. There's no more conversation. The emotion analysis--we've talked about that. We are talking about persons. Digital evidence is always related to people in processes, applications, hardware, software. So we want to make sure that what we present is accurate, and from the documentation. At some point, it was the second point in the presentation. We have to document everything. Reporting is about compiling in a clear and comprehensive manner, including summaries, methodologies, and supporting evidence. You have to include, or at least in my case, I always include the recordings of everything I do. Everything means even if I open my personal email, or if a notification comes to my computer and I open something in my WhatsApp, for example, this is part of the recording as well. Okay? So, you have to make sure that you provide an expert testimony. In order to do that, you have to be an expert in digital forensics. Peer review--consult with others, with your partners, with the opponent, with the defendant part before you present. It's not that you are going to modify the report because the defendant doesn't like it. This is not what I'm telling you; it's just that you are going to provide the report. By the way, you must provide the report to the defendant before you go to court. By the time you stand up in court, everything needs to be done. The other party needs to know exactly what you are going to present. This is how the legal systems work. Okay, with the exception of very few countries, but in the world, this is how it works. So, the quality assurance is just making sure that what you present is appropriate. The case management is how you use the digital forensic system to track everything in the analysis process, and from the data privacy compliance. I told you already that every single place, every single city, and every single state operates under different conditions. Popular tools for digital forensics: A few of those are in case autopsy, Access Data, and everybody knows how to use the forensic toolkit. Hway forensic, celebrity volatility, WI SH, everybody most likely knows, oxygen forensic detective, and the digital evidence forensic toolkit. Some of those are included in Cali, others are not. Some are open source, and others are extremely expensive. For example, in case, which is very, very expensive. Some relevant references about digital forensics: I prefer to use keywords and not particular references or books because I don't recommend any specific book. Instead, the combination of content, knowledge, and expertise is key. But some words or keywords you can use if you want to expand more in digital forensics are: digital forensics best practices, challenges, iMobile digital forensics, network forensic techniques, cloud forensic investigations, Internet of Things forensics, memory forensic analysis, because you want to stop repeating what you have been learning for years. When you take down the computer, when the computer is turned off, there is a lot of data that remains in RAM memory for a particular amount of time, of course. Okay, so try to expand on this topic: malware analysis in digital forensics, and cybersecurity and digital forensics trends. Those are keywords that will facilitate your expansion, or help you expand on digital forensics knowledge. Other considerations are some particular journals. Okay, in this case, I’m going to risk and recommend Digital Investigation, which is published by Xier. It is one of the top journals in the world. The other one is the Journal of Digital Forensics, Security and Law and Forensic Science International: Digital Investigation Report. I'm open to any questions you may have, and one more time, I want to sincerely thank you EC-Council for another opportunity to talk about this fascinating topic. Thank you very much to all the staff at EC-Council that worked tirelessly to make this presentation possible. And thank you so much as well for you guys attending the conference and for the questions that you may ask. Thank you very much, Dr. Luis, for such an insightful and informative session. That was really a very interesting webinar, and we hope it was worth your time too. Now, before we begin with the Q&A, I would like to inform all the attendees that EC-Council's CHFI maps to the forensic investigator and the consultant in digital forensics. Anyone with the CHFI certification is eligible for 4,000+ job vacancies globally, with an average salary of $95,000. If you're interested to learn more, kindly take part in the poll that's going to be conducted now. Let us know your preferred mode of training, and we will reach out to you soon. Dr. Luis, shall we start with the Q&A? Yes, I'm ready. Okay, our first question is: How do you prove in a court of law that the collected evidence is from the same object and not collected from any other object? This is a very important question. I really appreciate the clarification on this topic. As I said, we have to be very careful about the way we collect the data. When we are talking about objects, objects are associated with bits, not just bytes, but bits. And as I mentioned multiple times, when we do the copy of the original data, we want to make sure that we always do it bit by bit. When you do bit by bit, and not byte by byte, because a bit implies up to 3.4 volts in electricity, we are eliminating the possibility of mistakes. Objects are bigger; a bit does not constitute an object. Objects are formed by multiple bits. This is why we have to do the analysis bit by bit, and I have mentioned that multiple times. Thank you for answering that question. Our next question is: What kind of forensic data can we obtain from the encrypted data where the key is not available to decrypt the data? Could you please repeat the question? What kind of forensic data can be obtained from the encrypted data where the key is not available to decrypt the data? You encrypt data... I'll just paste the question to you on chat Dr. Luis. I’m not watching the chat right now. Something happened. I'm not watching the chat. Sorry. Hello? Can you hear me? Yes, I can hear you. Yes, I have posted the question in the chat, Dr. Luis. Okay. Okay, please. Yes, I have already pasted it. Okay, let me check here. Okay, give me a second. Okay, what kind of forensic data can be obtained from encrypted data? Oh, okay. Well, this is another misperception. Everybody knows that when the data is encrypted, we cannot open the data or the particular file, document, video, any kind of digital forensics data. Let me tell you something: There are multiple forensic tools that have the ability to decrypt the data even when we don’t have the key. This is, and I understand the key component, and I understand the two types of encryption--symmetric and asymmetric. As I said, I have multiple publications about encryption. But there is most likely always the possibility to decrypt data without having the encryption key. I understand that it doesn’t sound popular; and it’s not what we hear every single time, but when we specialize in digital forensics, we usually have the tools we need to decrypt the data, especially if you are using artificial intelligence. Also, in the government, at least in the U.S. government, in my operation, in the operation I direct, I handle, and I supervise, we have been using artificial intelligence for multiple things in cybersecurity since 2017. We are also using Quantum Computing. Quantum Computing is not coming; quantum computers have been in use in the U.S. government for years now. So, we have been using Quantum Computing for years. There are multiple ways to decrypt the data when the encryption key is not available. Multiple ways, multiple applications as well, help with the process. It's very time-consuming, but there is a possibility for that. And this is a great question because the question is, "Okay, what if the hard drive is encrypted? There's nothing I can do, right?" No, this is not like that. There are always ways to decrypt the data. Always. It doesn't matter how strong the encryption is, but you need to have the appropriate tools in place. For example, I'm going to mention just one: in case, when I present this, some tools that I suggest--before I said that in case is very expensive. In case, do magic (in quotation marks). In case, do multiple things that we don’t learn in school. Okay, so I can see the other question investigations. here: How to adapt to investigation in the cloud, since the cloud providers do not allow most important operations to access media? When you have to do a case or conduct digital forensics in the cloud, the cloud providers, 99% of the time (I don’t want to say 100% because I don’t want to risk it), Cloud providers include in the SLA (Service Level Agreement) what is going to happen if a digital forensic or any kind of investigation needs to be performed in the cloud space. So, most likely, the cloud operator is going to facilitate access to everything you need. Sometimes, you have to move and go physically to the place where the data is hosted. Don't believe that the cloud provider doesn’t know where the data is hosted. We know where the data is hosted. Specifically, I have been in San Diego, California, and other states in Hawaii back in 2019 as well. Doing forensic investigations in a cloud environment. It was actually for something government-related, and I was given the permission I needed to do any kind of investigation. So, cloud providers facilitate forensic analysis because forensic analysis is usually related to legal cases. There are multiple cases in which, in the USA, we don’t have access to this data and I'm going to mention an example: TikTok. The problem between the U.S. government and TikTok is that when TikTok got the authorization to operate in the USA, the government was one step behind. Okay, and we don’t regulate TikTok at this point. TikTok has the ability to prevent forensic investigations on the TikTok platform for the U.S. government or legal system. Okay, but again, usually, cloud providers facilitate investigations in the cloud 100%. They cooperate in every single manner to facilitate forensic investigations. Thank you for answering that question. We'll take the last question for the day. What are the best open-source free tools for social media forensics? There is no "best" open-source tool. It is a combination of tools. Number one: digital forensics cannot be performed categorically with one or two tools. This is a complex, time-consuming, and expensive process. I made some suggestions; they're included in the slide. Let me see a slide… slide number 16. Okay, this is the slide in which I include InCase, Autopsy, and some of them are uppercase as I… I’m sorry, open-source as I mentioned before, but there is not a particular tool or two or three tools that I will recommend. Because, on top of that, every single forensic investigation is about a different process. You cannot use the same tools. This is why there are very, at least in the USA, a very small number of organizations or companies that specialize in digital forensics, as my company does. The reason why is because, among many other things, lack of expertise and expenses. Okay, so I do not recommend a particular tool. Instead, I recommend the combination of tools. There are multiple open-source tools. I mention a few in slide number 16 of my PowerPoint presentation, but again, those are not sufficient. Those are the most popular and stronger, more accurate tools that you can use for digital forensics, but a particular tool, one or two, to do a forensic investigation--it doesn’t exist. It’s impossible. Doesn't exist. Thank you again to our wonderful speaker, Dr. Luis, for answering those questions and for the great presentation and knowledge shared with our global audiences. It was a pleasure to have you with us, and we are looking forward to more and more sessions with you. Before we conclude the webinar, Dr. Luis, would you like to give a small message to our audiences? Please. Well, no, I just want to thank everybody again, the ones that worked tirelessly behind the presentation to you in EC-Council. As always, thank you very much for the support. For all the attendees, I hope you learned something new. Let me clarify that every single content, wording, words, etc., that I have been presenting to you is my original creation not 99.99%, but 100% categorically speaking. I put together those notes and reflections for you guys with the hope that you can come back to your organization and serve better, that you can become a public servant and go to court and testify in favor of the part that deserves your benefits. I sincerely thank you for the opportunity to share my expertise with you guys. Have a nice weekend, okay? Thank you very much for the time and the questions. Thank you so much. Thank you so much, Dr. Luis, for your message. Before we end the session, I would like to announce the next Cyber Talk session: "Why Are Strong Foundational Cybersecurity Skills Essential for Every IT Professional?" which is scheduled for November 8, 2023. This session is an expert presentation by Roger Smith, Director, Managed IT Industry Fellow at the Australian Defense Force Academy. To register for this session, please do visit our website: www.ccu.edu/cybertalks. The link is given in the chat section. Hope to see you all on November 8th. With this, you may disconnect your lines. Thank you. Thank you so much, Dr. Luis. It was a pleasure having you. Likewise, thank you very much for the opportunity. Thank you. Have a good day.