-
Hello, everyone, and welcome to today's
-
session on digital forensics: best practices
-
from data acquisition to analysis. I'm
-
Shilpa Goswami, and I'll be your host
-
for the day. Before we get
-
started, we would like to go over a few
-
house rules for our attendees. The
-
session will be in listen-only mode and
-
will last for an hour, of which the
-
last 15 minutes will be dedicated to Q&A.
-
If you have any questions during the
-
webinar, for our organizers or
-
speakers, please use the Q&A window. Also, if you
-
face any audio or video challenges, please
-
check your internet connection or you
-
may log out and log in again. An
-
important announcement for our audience:
-
we have initiated CPE credit
-
certificates for our participants. To
-
qualify for one, attendees are required
-
to attend the entire webinar and then
-
send an email to cyber talks at eccouncil.org,
-
after which our team will
-
issue the CPE certificate. Also, we would
-
like to inform our audience about the
-
special handouts. Take a screenshot of
-
the running webinar and post it on your
-
social media, LinkedIn or Twitter, tagging
-
EC Council and Cyber Talks. We will
-
share free handouts with the first 15
-
attendees. As a commitment to closing the
-
cybersecurity workforce gap by creating
-
multi-domain cyber technicians, EC Council
-
pledges $3,500,000 towards ECT
-
Education and Certification Scholarships
-
to certify approximately 10,000 cyber
-
professionals ready to contribute to the
-
industry. Did you know that you can be
-
part of the lucrative cybersecurity
-
industry? Even top companies like Google,
-
Microsoft, Amazon, IBM, Facebook, and Dell
-
all hire cybersecurity professionals.
-
The cybersecurity industry has a 0%
-
unemployment rate. The average salary
-
for an entry-level cybersecurity job is
-
about $100,000 per year in the United
-
States. Furthermore, you don't need to
-
know coding, and you can learn from home, and
-
you get a scholarship to kick-start your
-
career. Apply now. EC Council is pledging
-
a $3,500,000 CCT scholarship for cybersecurity
-
career starters. Scan the QR
-
code on the screen to apply for the
-
scholarship. Fill out the form.
-
Now, about our
-
speaker Dr. Luis. Dr. Luis Noguerol is the
-
Information Systems Security Officer for
-
the U.S. Department of Commerce, NOAA,
-
where he oversees the cybersecurity
-
operation for six states in the
-
Southeast Region. Dr. Luis is also the
-
President and CEO of the Advanced
-
Division of Informatics and Technology,
-
Technology INC, a company that focuses on
-
data recovery, digital forensics, and
-
penetration testing. He is a world-renowned
-
expert in data recovery, digital
-
forensics, and penetration testing. He
-
holds multiple globally recognized
-
information technology and cybersecurity
-
certifications and accreditations
-
and is the recipient of multiple awards
-
in technology, cybersecurity, and
-
mathematics. He currently serves pro bono as
-
an editorial board member and reviewer for the
-
American Journal of Information Science
-
and Technology, and is a member of the
-
prestigious high-edging professor program for
-
undergraduate and graduate programs at
-
multiple universities in the U.S. and as a
-
reviewer for the doctoral program at the
-
University of Karachi in Pakistan. He is
-
the author of multiple cybersecurity
-
publications and articles, including Cybersecurity
-
Issues in Blockchain: Challenges and
-
Possible Solutions. He is also one of
-
the co-authors and reviewers of the
-
worldwide acclaimed book, Intrusion
-
Detection Guide.
-
Prior to obtaining his doctorate
-
degree in Information Systems and
-
Technologies from the University of
-
Phoenix, Dr. Luis earned a Bachelor's in
-
Science and Radio Technical and
-
Electronic Engineering, a
-
Bachelor of Science in
-
Telecommunications and Networking, and a
-
Master of Science in Mathematics and
-
Computer Science.
-
Without any further delay, I will
-
hand over the session to you, Dr. Luis.
-
Thank you very much. Thanks. Okay.
-
Good morning, everybody. Good afternoon, and
-
good night, depending on the specific
-
area in which you reside. We are going to
-
have an interesting conversation today
-
about digital forensic best practices
-
from data acquisition to analysis. This
-
is the title of the presentation or
-
subject, and I’m more than happy to be
-
here with you all and share some of
-
my expertise. So, let's go ahead and start the conference,
-
okay? She already mentioned
-
some of my credentials.
-
I have been working in cybersecurity
-
at this point for over 41 years.
-
This is in my DNA, a topic that I didn’t
-
like and respect as much as I cannot
-
talk about any other topic in my life.
-
Before we go, I have here a statement that
-
I put together for you, okay? Digital
-
forensic best practices. Well,
-
consideration number one: just to break
-
the ice in the labyrinth of
-
cyberspace, where shadows dance through encased
-
passages and data whispers its secrets, the
-
digital detective emerges. This is us, the
-
digital forensic experts. Clad in lines of
-
code and armed with algorithms, we seek
-
the hidden treasures of truth and
-
solving enigmatic cybercrimes. With a visual
-
magnifying glass, this is what we do: we
-
dissect the digital tapestry,
-
unveiling the footprints of elusive
-
cyber cultures. This is what cyber forensics, or
-
digital forensics, is about. Each keystroke and
-
pixel holds a clue, something that we can
-
use in our favor. And in this mesmerizing
-
world of the digital era, ones and zeros,
-
the art of digital forensics is about
-
finding the secret of the digital reality. Digital
-
forensics is about finding evidence
-
that can lead to a particular process. It
-
can be a legal process, or it can be any
-
other kind of process. But what is
-
digital forensics from my point of view?
-
Well, I mentioned earlier that I've
-
been working in cybersecurity for 41 years.
-
My specialties are in penetration
-
testing, data recovery, and digital forensics.
-
I’ve been working for the
-
police department in multiple places
-
doing digital forensics for them. So I try to
-
put together an easy definition for you from my
-
standpoint about what digital forensics
-
is. Digital forensics investigates digital
-
devices and electronic data to use as
-
evidence. Please note that I don’t say
-
electronic information; I use the word "data"
-
intentionally to understand digital events
-
and trace illicit activities. This is a key
-
component of digital forensics. Normally
-
speaking, digital forensics happens, of
-
course, after the facts, and the idea of
-
digital forensics is identifying traces,
-
okay, that lead to particular data that
-
we can gather together and make a
-
conclusion. It involves the systematic
-
collection, preservation, analysis, and
-
presentation of digital evidence in
-
legal proceedings. This is key
-
today because we are technology-dependent,
-
and there are multiple states,
-
at least in the USA and some other countries,
-
where digital forensics is still in
-
limbo because it's not accepted in the
-
court of law. Okay. So, this is very
-
important to keep in mind. What are we
-
going to do from the digital forensics
-
standpoint, the data collection process,
-
and the analysis? Digital forensics
-
experts use specialized techniques and
-
tools to extract data from computers,
-
smartphones, networks, and digital storage
-
media to support investigations and
-
resolve legal matters. So this is
-
basically what digital forensics is
-
about. Let's go ahead and start with the
-
technical part, which is the topic I like
-
most. Okay, let's talk about those
-
30 best practices that I’ve put
-
together for you. At the end of the
-
presentation, you will have the
-
opportunity to ask as many questions as
-
you like. 1. You have to
-
follow the legal and ethical standards:
-
For this particular first point, I am not
-
going to make any comment. I believe that
-
ethics is a key component
-
of cybersecurity. We always
-
have to follow the rules. We must always
-
follow the legal procedures in the
-
places in which we operate because every
-
single place is a different component.
-
2. Understand the original evidence:
-
This is key. Okay. You always have to
-
maintain the integrity of the original
-
evidence to ensure it is admissible in
-
court. Any kind of manipulation
-
or modification will result in
-
disqualification from the court system.
-
Document everything: This is something
-
that technical people like me don’t
-
like too much, but when it comes to
-
digital forensics, we have to document
-
every single step we take. We have to
-
record all the steps we
-
follow, and we want to make sure that
-
everything is documented and recorded in
-
a specific chronological order. This is
-
a key component for digital
-
forensics or investigations to be accepted
-
in the court of law. Secure the scene:
-
It’s not just physical
-
crime scenes that need to be secured to prevent
-
contamination or tampering.
-
If you present anything in court and
-
the opposing party
-
has the ability to prove that
-
something was not preserved, the
-
conversation is over. Chain of custody:
-
I’m going to repeat this more than
-
once during the presentation. Sorry.
-
Chain of custody refers to how you
-
establish and maintain
-
the evidence and the process
-
that facilitates how the
-
tracking process is handled. Use-Write-
-
Blocking Tools: This is another key
-
component of digital forensics. It means
-
that you have to use the appropriate
-
hardware and software that allow for
-
write blockers when you are collecting
-
data to prevent alteration. There are a
-
set of tools you can use, and at the end
-
of the presentation, I’m going to provide
-
you with a specific set
-
of tools you can use as write-blocking
-
tools. Verify hashing or hash
-
values. This is how you calculate and compare
-
hash values to verify the data's integrity.
-
There is often confusion about integrity,
-
confidentiality, and availability. In
-
digital forensics, the most important
-
component is integrity. It means that we
-
must make every effort to
-
ensure that the data is not modified in
-
any possible way, from the time we
-
arrive at the scene
-
to the time we present the evidence
-
in court and even after that as well. So
-
other component is Collect volatile data
-
first. Okay, this obviously makes perfect
-
sense. You have to prioritize this
-
type of data collection as it can be
-
lost or modified when the system is
-
powered down. For many of you, what I’m
-
going to tell you may
-
sound not appropriate, and this is the
-
following assessment:
-
we've been told from the time we
-
arrived at school and even at work
-
that information or data in random access memory (RAM) disappears when the
-
computer is shut down. Back in 2019,
-
I made a presentation similar to
-
this one for this account, in
-
which I proved that the data in RAM
-
can be recovered. Okay. So, what we have been
-
learning in multiple places, and what you can
-
easily find on Google, that data in RAM
-
is lost when
-
computers are powered down, is not
-
exactly correct. The other component is
-
Forensic image. You have to create a
-
forensic image of storage devices to
-
work with copies. You must always
-
present the original evidence. This is a
-
requirement in the court of law. You must
-
present the original evidence every single
-
time. The other component is the Data
-
recovery. Data recovery is closely
-
associated with digital forensics for
-
obvious reasons. Okay. You have to
-
employ specialized tools to recover
-
deleted or hidden data. This is also
-
something to keep in mind. At the end,
-
I'm going to provide some specific
-
applications you can use to do data
-
recovery.
-
Timeline analysis: You must construct
-
and analyze timelines to understand the
-
sequence of events. What happened first? The
-
chronological order is a mandatory
-
requirement in the court of law. You
-
cannot present evidence in court
-
in a random manner. You have to
-
follow the specific chronological order.
-
The other consideration is Preserving
-
the metadata. Ensure metadata integrity
-
to verify results, timing, and
-
authenticity of the digital artifacts you
-
are going to present in the court of law.
-
Use known good reference data: This
-
means you have to compare the
-
collected data with known
-
good reference data to identify
-
anomalies, specific patterns, and
-
statistical processes. Many times, you have
-
to do this as well. Antiforensic
-
awareness: You have to be aware of the
-
antiforensic techniques in use.
-
There are multiple applications
-
that work against digital forensics. So,
-
you must be aware of that. Before
-
you start digital forensics analysis,
-
while working on the data collection
-
process, you want to make sure you
-
don't have any anti-forensic
-
tools or applications installed on the
-
particular host or hosts in which you are
-
going to conduct the investigation. Another
-
very important component is Cross-validation.
-
This is what brings actual
-
reputation and respect to the data you
-
are presenting in the court of law. Okay?
-
So the standard operating procedures are a
-
very important component that is oftentimes
-
overlooked, and it's about
-
developing and following SOPs that
-
maintain consistency. This is
-
why documentation is key, and it was
-
presented in slide number one. Training
-
and certification are also important components, and
-
this is relevant. The reason why it's
-
relevant is that I understand you can learn
-
many things by yourself. This is becoming
-
more popular as we become more
-
technology-dependent. This is normal
-
and expected, but certifications still
-
hold particular value. There are
-
multiple questions in certification
-
exams, in general terms, not only in EC-Council
-
certifications or others, in which,
-
most likely, if you don't go through the
-
certification process, you will never
-
find out. And this is what
-
some people say: "Well, this is
-
theoretical information." Digital forensics
-
involves a lot of theoretical information--
-
A LOT. Remember that we are doing the
-
analysis at a low
-
level, from the technical standpoint. So
-
theory is extremely important and
-
relevant when we do forensic
-
investigations--digital forensics. The same
-
happens with medical doctors. When
-
medical doctors do a forensic
-
analysis of a body of someone who
-
passed away, they also employ a lot of
-
theoretical knowledge they have been
-
accumulating. Digital forensics is no
-
different.
-
The other consideration is expert
-
testimony. Okay? I, for example, live
-
in Miami, Florida, in the USA, and I am one of the
-
11 experts certified by the legal system
-
in the 11 districts. This means that when you
-
go to court, you have to be
-
classified as an expert in order to
-
provide comments and evidence. Otherwise, you will
-
probably not be able to speak in court,
-
as what we say
-
in court is relevant for the case.
-
And with our wording or statement,
-
along with the evidence we provide, we have
-
the ability to put somebody in jail or
-
release this person from jail.
-
So, this is extremely important. Okay? So,
-
evidence storage is one of the most
-
important components. Your opponent in
-
court or in your company will try
-
their best to challenge what you
-
are presenting. So, you have to safely
-
store and protect evidence to maintain
-
its integrity. Integrity is the most
-
important characteristic or
-
consideration in digital forensics--
-
without any other factor coming close. So, integrity
-
is everything in digital forensics. Okay?
-
Data encryption: There are multiple cases
-
in which you will do digital
-
forensics on encrypted storage devices,
-
encrypted data, or encrypted
-
applications. You need to develop the
-
ability to handle encrypted data
-
and understand the encryption methods.
-
Among the publications I have, I have
-
over 25 publications on different
-
topics and concepts within security. A
-
few of them, probably five or six, are
-
specifically about encryption. If we want
-
to do digital forensics, we must become
-
data encryption experts. There is no other
-
way. I understand that many people
-
don’t like math, statistics, physics, etc.,
-
but this is a requirement for doing an
-
appropriate digital forensic assessment.
-
It’s a necessity today. Okay? The other
-
consideration, and this is for the people
-
who love technology like me attending
-
or watching this conference, is network. I
-
am a big fan of networks. I have been
-
working in networking for 41 years.
-
My doctoral degree is in
-
telecommunications and cybersecurity. So,
-
networking is in my DNA. I love networking more than
-
any other topic in information
-
technology. Network analysis is the
-
ability to analyze network
-
traffic logs and data to trace digital
-
footprints. I’m pretty sure
-
everyone has a tool of mine, and, of course,
-
this tool is most likely part of the
-
tools I’m going to
-
provide in the last slide for you.
-
But network analysis today, from a
-
digital forensics standpoint, is
-
everything. Everything is network-related in
-
one or another way. Malware analysis: We
-
need to develop the ability to
-
understand malware behavior and analysis
-
and how those malwares impact systems.
-
This needs to be incorporated as part of
-
the cybersecurity analysis when
-
performing digital forensics today. Cloud
-
forensics: I don’t have to highlight how
-
important cloud operations are. Okay? We are
-
moving operations to the cloud, and
-
for those still
-
running operations on-premises, there is
-
a high expectation that sooner rather than
-
later, you will move operations to the cloud for
-
multiple conveniences. However, the
-
configuration at this point does not fully
-
benefit all aspects of the cloud. From
-
a forensic standpoint, when you do
-
cloud forensics, the situation is a little
-
different from
-
on-premises investigations. So, you have to
-
adapt methodologies for investigating
-
data in the cloud, regardless of the
-
cloud provider. Here, as a matter, you can see
-
AWS, Google, Azure, or anyone else.
-
The operation in the cloud is somehow
-
different from a digital forensics
-
standpoint, starting with how you
-
access the data.
-
Remote forensics: Remote forensics is the opportunity
-
to develop skills for collecting and
-
analyzing data from a remote location.
-
This is happening more frequently now as
-
we become more telework-dependent.
-
In multiple cases--my own company, for example, knowing my
-
job with the government, but owning my own
-
company--I have been doing more remote digital forensics in the last
-
two, three years, probably two years.
-
Digital forensics that
-
than probably ever before in my life. So, this
-
is an important skill to develop as well.
-
Case management: This is how we use
-
digital forensics case management to
-
organize and track investigations. I mentioned to
-
you that I go to court very often--more
-
often than I want, very, very often.
-
Okay. And they scrutinize every
-
single protocol you present, every single
-
artifact, every single document, and the
-
specific chronological order. This is a
-
complex process. It’s not just collecting
-
the data, performing the digital forensics
-
analysis, and going to court to testify.
-
Okay? The process is much more
-
complex than this.
-
Collaboration: Collaborate with other
-
experts and there's one in the middle
-
that I'm going to highlight in a few.
-
Collaborate with other experts, law
-
enforcement, or organizations for complex
-
cases. Cases are different from one another.
-
Of course, this is okay, and I know you
-
know that. Okay? But you have some cases
-
sometimes in which the forensic analysis
-
becomes very complex. In those particular
-
cases, my advice is to collaborate with
-
others. Okay? You do better when you work
-
as part of a team and not when you work
-
independently. I’ll skip the data
-
privacy compliance for a minute because
-
this is relevant. Every single state,
-
every single... No
-
exception. A state court operates on the
-
different requirements. So, you want to
-
make sure that you follow the privacy
-
regulations in your specific place. Okay?
-
And by the way, I'm going to ask you a
-
question. I'm not expecting any response.
-
But the question is: by any chance, do you
-
know the specific digital forensic
-
regulations in the place you live? Ask
-
yourself this question, and probably some
-
of you are going to respond "no." This is a
-
critical thing. Continuous learning: You
-
need to keep asking about what we do. Okay?
-
Cybersecurity is an specialization of IT. From
-
my point of view, it's the most fascinating
-
topic in the world. This is
-
the only topic I can talk about
-
for 25 hours without drinking water.
-
This is my life. I dedicate multiple
-
hours every single day, seven days a week,
-
even when it creates some personal
-
problems with my family, etc. This is in
-
my DNA. I encourage each of you, if you
-
are not doing so, to dedicate your life to
-
become a digital forensics expert. Digital
-
forensic is one of the most fascinating
-
topics in the planet. Okay. And you want
-
to be attentive to these type of things.
-
Report and presentation: When you go to
-
the court or when you present your
-
outcomes of all the digital forensic
-
outcomes to your organization, you want
-
to make sure that you use clear
-
language, you are concise, and you are
-
ready for the presentation questions and
-
answers. You never want to go to the
-
court unprepared. Okay? Never in your
-
life. This is not appropriate because, at
-
the end your assessment, you have the
-
possibility to put somebody in jail or
-
somebody will be fired from the
-
organization or not. So what we said is
-
relevant. Our wording has a huge impact
-
in other people's lives. It's important
-
to be attentive to that. One of the most
-
relevant topic that I have been using in
-
my practice is the use of artificial
-
intelligence in digital forensic. Since
-
2017, this is not a topic that is well
-
known. At this point, the reason why I
-
really want to share my experience--
-
practical experience with you guys,
-
digital evidence analysis, how artificial
-
intelligence can help us. Well, everybody
-
knows that we have multiple applications
-
that we can use in order to analyze
-
the different kind of media that can be
-
generated. For example, text, image, and
-
videos, artificial intelligence studies
-
have the ability to detect and flag
-
potential relevant content for
-
investigations, especially from the
-
timing standpoint. Digital forensic is
-
extremely time consuming, very, very
-
time consuming and complex. This is
-
probably along with data recovery the
-
most complex specialization in
-
cybersecurity. So the use of artificial
-
intelligence, in our favor, is very
-
convenient. And at the end, I'm going to
-
include as well or actually I included
-
in the list a particular artificial
-
intelligence tool that you can use in
-
your favor. The other use of artificial
-
intelligence is pattern
-
recognition. Artificial intelligence can
-
identify patterns in data, helping
-
investigators recognize anomalies or
-
correlations in digital artifacts that
-
may indicate criminal activity.
-
Out of the whole sentence, the most
-
important question is: "What is the key word?" The key word,
-
correlation. How do we correlate data by
-
using artificial intelligence? The
-
process is going to be simplified
-
dramatically. Speaking based on my
-
personal experience, the other component is
-
NLP. This can be used to analyze
-
text-based evidence, including logs
-
and emails, to uncover communication
-
patterns or hidden minutes. A lot of
-
evidence that we collect, about
-
65%, is included in emails, chats,
-
documents, etc., so this is when NLP plays
-
a predominant role in artificial
-
intelligence in the digital forensic
-
analysis for image and video analysis. It provides
-
incredible benefits. Okay? You have the
-
ability to analyze multimedia
-
content to identify objects, people, and
-
potentially illegal or
-
sensitive content. I’m sure a word
-
is coming to your mind right now, steganography.
-
Yes, this is part of steganography, but it's
-
not similar to doing steganography by using a
-
particular application. When you
-
employ artificial intelligence tools
-
that are dedicated exclusively to
-
digital forensics, the benefit is really
-
awesome. Predictive analysis: Machine
-
learning models can predict potential
-
areas of interest in an investigation,
-
guiding forensic experts to focus on
-
critical evidence. Imagine that you are
-
analyzing a hard drive that is one
-
terabyte holds a lot of
-
documents, videos, pictures, sounds, etc. You
-
know that, right? If you are
-
attending this conference, it’s because you
-
are very familiar with information
-
technology, cybersecurity, and digital forensics.
-
Well, how do you find the specific data you
-
need to prove something in a court of
-
law? You have to be very careful
-
about the pieces of data you pick for
-
the analysis, otherwise, your
-
assessment is not appropriate. And again,
-
every single word we say in a court
-
of law or in the organization we
-
are working for is relevant. It implies
-
that probably somebody will be in jail
-
for 30 years, or probably somebody, if we’re
-
talking about a huge crime like an
-
assassination or child pornography abuse,
-
will face consequences like death. Our
-
assessment is critical. Okay? We become
-
the main players when
-
digital forensics is involved. We have to
-
be very careful about the way we do it.
-
This is not a joke; it's very serious. Okay?
-
Predictive analysis, machine learning
-
models, or artificial intelligence are
-
pretty close in this concept and can predict
-
potential areas of interest in an
-
investigation. But we also talk about
-
detection. Artificial intelligence
-
driving security tools can identify
-
cyber threats and potential cybercrime
-
activities, helping law enforcement and cybersecurity
-
teams respond effectively and
-
proactively. More importantly, the
-
majority of us have multiple tools that
-
we call proactive
-
in our place of work. Okay? We
-
have different kinds of monitors, etc. But
-
the possibility to do something in a
-
proactive mode is really what we want.
-
Evidence authentication: Artificial
-
intelligence can assist in the
-
authentication of digital evidence,
-
ensuring its integrity and the
-
possibility of this data being admitted
-
in court. Data recovery: Artificial
-
intelligence helps with the recovery of
-
data that has been deleted
-
intentionally or unintentionally. It
-
doesn't matter. When we do digital
-
forensics, we want to have as much data as
-
we can to make a case
-
against a particular party. From the
-
malware analysis standpoint,
-
artificial intelligence brings a lot of
-
speed, and this is needed because, again,
-
you are looking for a needle in a ton of
-
water or in a ton of sand, and this
-
is very complex. From the network
-
forensic standpoint, we are accustomed to
-
using tools such as Wireshark, which everybody
-
knows, well, anyway,
-
there are now specific artificial
-
intelligence tools for network forensic
-
analysis. I have included two of
-
those tools in the list on the last
-
slide. Automated trace: This is one of the
-
most important considerations for you to
-
consider with artificial intelligence in
-
digital forensics. Speed is key. It’s basically
-
the ability to do
-
correlation between large data sets. Case
-
priority: Artificial intelligence can
-
assist investigators in
-
prioritizing cases based on factors like
-
severity, potential impact, or resource
-
allocation, meaning timing.
-
Predictive policing: This is super important
-
because, until today, digital forensics has
-
always been reactive. We react to
-
something that happened. The possibility to
-
make predictions in digital forensics is
-
fantastic. It has never happened before.
-
This is new, at least for me. I started
-
using artificial intelligence back in my own
-
company in 2017, and I have been able to
-
that in
-
multiple cases for the police department
-
in Miami and in other two cities in
-
Florida: Tampa and St. Petersburg. The
-
results have been amazing. Document
-
analysis: You know that NLP can extract
-
information from documents and analyze
-
sexual content for investigations.
-
Artificial intelligence dramatically minimizes
-
the time needed for that.
-
Emotional recognition: Everybody
-
knows what happened with the DSP
-
algorithms. Okay? So we can use artificial
-
intelligence to analyze videos,
-
which is awesome because our eyes, our
-
muscles in our eyes, don't have the
-
ability to lie. We can lie when we speak,
-
or we can try, but our eyes’ reactions
-
to a particular stimulus cannot be hidden
-
or cannot be modified. So this is unique.
-
From the data privacy and compliance standpoint, you
-
also have the ability to
-
automate the specific data you want to
-
include as part of your report. Okay? Now,
-
digital forensic data acquisition steps:
-
From my standpoint, after 41 years of experience,
-
preservation--we already talked about this.
-
Documentation: Preservation is integrity.
-
Okay? This is the most important
-
consideration, categorically speaking, in
-
any kind of digital forensic
-
investigation. You have to preserve the
-
data as it is. And remember, you never use
-
the original data for your forensic
-
analysis—-never. You always use a copy. And
-
to do copies, you have to use bit-by-bit
-
applications. Bit-by-bit—you cannot
-
copy bytes, or you cannot copy data
-
and forget about the information. So,
-
preservation is the most important thing.
-
Documentation: We already know that
-
everything needs to be documented, okay?
-
From the crime scene to the
-
last point. Chain of custody: One more
-
time, and I guess I’m going to
-
mention this one more time because chain
-
of custody means or opens the door for
-
you to present a case in the court of
-
law or to prove, in
-
your organization, that what you
-
are presenting is appropriate. You have
-
to plan how you are going to collect the
-
data. you have to plan with anticipation
-
the specific tools you are going to use
-
what methods are you going to consider
-
in your data collection process this is
-
relevant and you always have to consider
-
the coms coms is probably more important
-
than PR when you select or decided to
-
use a particular application for the
-
data acquisition you always want to
-
focus on the negative people usually
-
tends to talk about the positive oh I
-
like why the Shar because this and that
-
it's better that you focus on the
-
negative in Information Technology
-
everything has cross and comes no
-
exceptions exceptions do not exist there
-
is not one exception everything positive
-
have something negative in information
-
technology and this is what you want to
-
focus on it to avoid problems at the end
-
Okay so
-
how about the verification process you
-
have to verify before you work with the
-
real data that the tools and methods you
-
selected work okay you never want to
-
mess up with the original data needed
-
with a copy you want to test in a test
-
environment your tools your methods your
-
approach the steps you are going to
-
follow is very time consuming it is but
-
by the way it's also very well paid is
-
very well paid the only thing I can tell
-
you that it's very well paid you have no
-
idea if you become a cyber security
-
expert and specialize in digital
-
forensic this is where the money is and
-
trust me this is where the money is okay
-
I'm telling you first person duplication
-
we talk about that already the only way
-
to do that is by creating bit forbit
-
image there is no other ways okay this
-
is why you you want to use PR blocking
-
devices software and Hardware I
-
mentioned that before Tex rooms and
-
hatching different concepts that some
-
people are still confusing about it okay
-
there is a huge difference between the
-
two the main one is that Asing is a
-
oneway function you go from the left to
-
the right and usually you don't have the
-
ability to come back to replicate the
-
process of course if you have the
-
algorithms on hand then you can do
-
reverse engineering this is obvious but
-
this is not what happen in regular
-
conditions okay so check zoom and
-
hatching both minimize the possibility
-
that you mistake in your digital
-
forensic ER
-
analysis the other component is
-
acquisition okay so how are you going to
-
collect the data what particular tools
-
are you going to use you always have to
-
maintain a strict R only access to the
-
source if you have the ability to
-
manipulate the data in the source you
-
have the ability to tamper with actually
-
the most important consideration out of
-
the CIA which is integrity if the
-
opponent is the opposite part to you in
-
your organization the defendant in other
-
words have the ability to prove that
-
the the original data or source can be
-
manipulated in any way the conversation
-
is 100% over and the case will be
-
dismissed categorically speaking it's no
-
more conversation so this is a humongous
-
responsibility when it comes to data
-
acquisition what protocols you use what
-
the specific tools how do you plan it
-
how you document is a very painful
-
process in other words okay now data
-
recovery we already talk about the
-
complexity of finding a needle in a tone
-
of s this is super complex okay but it's
-
doable the only thing you have to use is
-
the appropriate tools and you you need
-
to have a specific plan because every
-
single case is 100% different digital
-
signatures sign the acquire data in
-
hatches with a dig digital signature for
-
authentication there are multiple cases
-
today in which H signatures are not
-
accepted anymore in the go government I
-
am a Federal Officer for the US
-
Department of Commerce in USA in the
-
government we are not allowed to sign
-
anything by hand for many years back
-
many years okay digital signatures have
-
a specific component that minimize
-
dramatically speaking the possibility of
-
replication and this is why this is
-
accepted in the court of law
-
verification R verifies the Integrity of
-
that Qui image by comparing hash values
-
with those calculated before the hash
-
values must be exact no difference not
-
even in one
-
0.001 percentage most much 100%
-
categorically speaking otherwise the
-
court is going to dismiss the case as
-
well or the organization probably is not
-
going to take the appropriate action vus
-
in a particular individual or problem or
-
process okay LS and no we already talk
-
about documentation at the beginning you
-
have to actually make sure that
-
everything is timestamped as I mentioned
-
before at the beginning digital forensic
-
must be collected in a particular order
-
analyzed in the similar Manner and
-
presented in the report in the specific
-
order in which the process was done
-
otherwise the process is going to be
-
disqualified and this is exclusively at
-
this point our own responsibility and
-
nobody else okay the storage we already
-
know that gain of custody is one of the
-
most important component there are
-
multiple forms depending of the state in
-
which you live and the countries as well
-
that you have to follow anything if you
-
miss a check mark or if you put a check
-
mark on those particular forms you are
-
basically dismissing you the case you
-
intentionally the court doesn't work in
-
the way many of us believe okay we have
-
the possibility to put somebody in the
-
electric share or to release to provide
-
to this particular individual or
-
organization what we said is relevant
-
okay this is very important the brift
-
you always have to be in Comm
-
communication with all parties both the
-
one presenting the digital process or
-
ruling the process and the other part as
-
well you cannot hide anything Zero from
-
your opponents in the court of law or
-
for the defendant part never in your
-
life this is why the first bullet in the
-
whole presentation was as you may
-
remember ethics okay in digital forensic
-
we provide what we known to the other
-
parties as well even to the defendant to
-
the opponents every single time no
-
exception and we provide every single
-
artifact with the most clear possible
-
explanation to the opponents this is how
-
the digital forensic process work
-
otherwise it will be dismissed as well
-
in the court steing you have to make
-
sure that every single piece of digital
-
evidence is
-
properly still then that you follow the
-
process by the book again if you Skip
-
One Step just one out of 100 or 200s
-
depending of the case the case is going
-
to be this measure no exceptions the Cod
-
goes by the book as you can imagine and
-
your opponent is going to be very
-
attentive to to the minimum possible
-
failure to dismiss the case okay so how
-
you transport the data from one place to
-
the other place chain of custody this is
-
the key component chain of custody data
-
encryption you have to make sure that
-
you prevent or actually Pro prevent a
-
Integrity manipulation and you always
-
want to meure the confidentiality of the
-
data CIA we already talked about the
-
component confidentiality Integrity
-
availability from the digital forensic
-
standpoint the most important no
-
exception is integrity and also the
-
confidentiality okay so from the
-
recovery image standpoint you always
-
want to have a duplicate for validation
-
and reanalysis and remember that you
-
always want to work with a copy of the
-
digital evidence 100% of the time no 9
-
you have to preserve the original
-
evidence this is part of our
-
responsibility and this is why we do bit
-
by bit analysis and bit by bit copy it's
-
complex okay now a specific step in
-
digital forensics to analyze the
-
collected data at this point you already
-
went through multiple process and spent
-
a lot of time how do you analyze the
-
data you have because you are going to
-
have probably terabytes of data okay
-
well you have to make sure that hashing
-
and TS digital signatures and the chain
-
of custody have been followed data
-
priorization what happens and what is
-
more relevant you cannot present in the
-
court two terabytes of data or 2,000
-
Pages this is Irrelevant for the case
-
okay you have to make sure that you use
-
keywords in order to provide a solid
-
report to the court for this particular
-
case for the keywords artificial
-
intelligence have been proven to me that
-
is of huge help file caring you have to
-
use a specialized tool to recover files
-
that may been deleted or you
-
intentionally hiting timeline analysis
-
we talk about you have to do everything
-
by following a particular sequence of
-
activities in other words you have to
-
present and do the analysis in
-
chronological order in the way that you
-
collect the data this is the exact way
-
you do the analysis and later you do
-
correlation okay but you have to follow
-
a particular chronological order data
-
recovery you have to do your best to
-
reconstruct the data that have been
-
deleted or probably damaged even by a
-
physical or electronic condition in the
-
storage media the metadata analysis is
-
also complex okay this is the next
-
component after the time the timeline
-
analysis metadata includes multiple kind
-
of data so this part of the analysis is
-
going to be complete colle and more time
-
consuming than the data collection and
-
the data collection is already very time
-
consuming content analysis you have to
-
be very careful because this is
-
basically what the forensic analysis is
-
going to be parent recognition how you
-
can match one bit of data with another
-
bit okay is there any association
-
between bits between bites between data
-
between words this is a iCal
-
component communication analysis again
-
you want to make sure that you include
-
everything emails today are probably the
-
most relevant component of digital
-
forening analysis you wants to make sure
-
that you master email analysis as well
-
data encryption you always have to keep
-
in mind the confidentiality and when we
-
are talking about the recovery or the
-
recovery image I mentioned that as well
-
similar to the chain of custody before
-
because you always have to pres the
-
digital the original data evidence
-
examination you want to make sure that
-
you verify the Integrity of the data you
-
have been acquiring including hash value
-
digital signature and the chain of
-
custodies we talk about this already
-
this is a repeat of the slide by the way
-
okay so database examination and you
-
foring a duplicate slide so this slide
-
is the same to this okay so my apology
-
for that it's my fault data database
-
examination investigate databases for
-
valueable valuable information including
-
structure data and locks entries Etc
-
media analysis this is a very complex
-
process because it's usually about atigo
-
or include testigo and this is about
-
image videos audios geolocation in
-
digital signatures Network traffic
-
analysis tools as why the Shar h but my
-
suggestion is that you use all the tools
-
that are part of the artificial
-
intelligence applications we can use
-
today and are available in the
-
market estigo is always complex okay
-
because stigo include not only image but
-
in many cases audio as well and this is
-
very complex time consuming you always
-
wants to make sure that you use the
-
appropriate estigo analysis techniques
-
and that are multiple specific for
-
volatile analysis as I mentioned before
-
there is multiple ways to do
-
data acquisition from RAM memory when we
-
turn off the computer all the data from
-
Ram doesn't goes off this is what
-
everybody said this is what Google said
-
this is what people that never do
-
forensic investigation repeat this is
-
not appropriate if you know how to do it
-
and again I make the presentation for e
-
councel in 2019 if you Google my name in
-
this presentation you will be able to
-
find a particular video in which I was
-
able to recover data from RAM memory
-
after the computer was took down took
-
down believe it or not go for the other
-
presentation that this is DC councel
-
database and you will be able to see the
-
video okay comparison you have to do
-
cross reference every single time to
-
make sure that the data you identify is
-
appropriate and you always identify
-
identity deviations and
-
inconsistency before you do the final
-
report I told you already when you
-
present the report in the court of law
-
and minimum mistake something minimum
-
will be disqualified in the case for
-
example in this presentation I include
-
IED by mistake this slide and this slide
-
if I do that in the in the court of flow
-
is
-
dismiss okay that's it it's no more
-
conversation the emotion analysis we
-
have talk about that we are talking
-
about persons digital evidence is always
-
related to people in process processes
-
applications Hardware software so we
-
want to make sure that what we present
-
is accurate and from the documentation
-
at some point it was the second point in
-
the presentation we have to document
-
everything reporting is about compiling
-
in a clear and comprehensive manner
-
including summaries methodologist and
-
supporting evidence you have to include
-
or at least in my case I always include
-
the recordings of everything I do
-
everything means even if I open my
-
personal email or if a notification come
-
to my computer and I open something in
-
my my in my WhatsApp for example this is
-
part of the recording as well okay so
-
you have to make sure that you provide
-
an expert testimony in order to do that
-
you have to be an expert in digital
-
currency Feer review consult with other
-
with your partners with the opponent
-
with the defendant part before you
-
present it's not that you are going to
-
modify to report because the defendant
-
doesn't like it this is not what I'm
-
telling you it's just that you are going
-
to provide the report and by the way you
-
must provide the report to the defendant
-
before you go to the Court by the time
-
you stand up in the court everything
-
needs to be done the other part need to
-
know exactly what you are going to
-
present this is how the legal systems
-
work okay with deceptions of very few
-
countries but in the world this is how
-
it work so the quality assurance is just
-
making sure that what you present is
-
appropriate the case management is how
-
you use the digital forensic and manage
-
system to track everything in analysis
-
process and from the data privacy
-
compliance I told you already every
-
single place every single City every
-
single state operate under different
-
conditions popular tool for digital
-
forensic few of those in Cas
-
autopsy Access Data everybody know how
-
is a forensic tool kit hway forensic
-
celebrity vola volatility wi sh
-
everybody most likely know oxygen
-
forensic detective and the digital
-
evidence and forensic tool kit so some
-
of those are included in Cali others do
-
not some are open source others are
-
extremely expensive for example in case
-
which is very very expensive some
-
relevant reference about digital
-
forensic I prefer to use keywords and
-
not particular reference or books
-
because I don't recommend any specific
-
book instead the combination of content
-
and knowledge and expertise but some
-
words or key words you can use if you
-
want to expand more in digital forensic
-
are digital forensic best practice
-
challenge iMobile digital forensic
-
Network forensic techniques Cloud
-
forensic investigations Internet of
-
Things forensic memory forensic analysis
-
because you want to stop repeating what
-
you have been learning for years when
-
you took down the computer with the
-
computer is turn it
-
off and there is a lot of data that
-
remains in r memory for a particular
-
amount of time of course okay so try to
-
expand on this topic malware analysis in
-
digital forensic and cyber security and
-
digital forensic Trends those are
-
keywords that will be facilitating your
-
expansion or you expanding on digital
-
forensic knowledge other
-
considerations are some particular
-
journals okay I in this case I'm going
-
to risk and recommend the digital
-
investigation that is published by xier
-
is one of the top in the world the other
-
one is the Journal of digital forensic
-
security and law and forensic science
-
International digital investigation
-
report I'm open to any question you may
-
have and one more time I want before I
-
close my lips I want to sincerely thank
-
you EC Council for another opportunity
-
to talk about this fascinating topic
-
thank you very much for all the staff in
-
the e Council that work tily who made
-
this presentation a possibility and
-
thank you so much as well for you guys
-
attending the conf the conference and
-
for the questions that you may
-
ask thank you very much Dr Lewis for
-
such an insightful and informative
-
session that was really a very
-
interesting webinar and we hope it was
-
worth your time too now now before we
-
begin with the Q&A I would like to
-
inform all the attendees that EC
-
council's CH maps to the forensic
-
investigator and the consultant digital
-
forensics anyone with the chfi
-
certification is eligible for 4,000 plus
-
job vacancies globally with an average
-
salary of
-
$95,000 if you're interested to learn
-
more andly take part in the poll that's
-
going to be conducted now let us know
-
your preferred mode of training and we
-
will reach out to you
-
soon
-
uh Dr L shall we start with the
-
Q&A yes I'm ready
-
for okay our first question is how to
-
prove in court of law that the collected
-
evidence is from the same object and not
-
collected from any other
-
object this is a very important question
-
I really appreciate the clarification on
-
this topic as I said we have to be very
-
careful about the way we collect the
-
data when we are talking about objects
-
objects are associated to bits not to
-
bikes only but Bits And as I mention
-
multiple times when we do the copy of
-
the original data we want to make sure
-
that we always do bit by bit when you do
-
bit by bit and not B by B because a bit
-
implies up to 3.4 volts in electricity
-
we are eliminating the possibility of
-
mistake objects are bigger a bit do not
-
constitute an object objects are formed
-
by multiple bits this is why we have to
-
do the analysis bit by bit and I
-
mentioned that multiple
-
times thank you for answering that
-
question our next question is what kind
-
of forensic data can we obtain from the
-
encrypted data where the key is not
-
available to decrypt the
-
data could you please repeat the
-
question what kind of forensic data can
-
be obtained from the encrypted data
-
where the key is not available to
-
decrypt the
-
data you encryp
-
data uh I'll just P the question to you
-
on chat uh Dr
-
Ls I'm not watching the chat right now
-
something happened
-
I'm not watching the
-
shat sorry H long hello hello hello can
-
you hear
-
me yes I can hear you yes I have posted
-
the question on the chat Dr leis okay
-
okay please yes I have already pasted
-
okay let me check
-
here
-
okay give me a second okay what kind of
-
forensic data can be obtained from
-
encrypted data oh okay okay well this is
-
another misperception okay everybody
-
knows that when the data is encrypted we
-
cannot open the data or the particular
-
file document video any kind of Digital
-
forening Data let me tell you something
-
there are multiple forensic tools that
-
have the ability to decrypt the data
-
even when we don't have the key this and
-
I understand the key component and I
-
understand that the two type of
-
encryptions symmetric and asymmetric and
-
as I said I have multiple Publications
-
about
-
encryption ER but there is most likely
-
always the possibility to encrypt data
-
without having the encryption key I
-
understand that it doesn't sounds
-
popular it's not what we hear every
-
single time but when we spend specialize
-
on digital forensic we have usually the
-
tools we need to decrypt the data
-
especially if you are using artificial
-
intelligence also in the government at
-
least in the US government in my
-
operation in the operation I direct I
-
handle I supervise we are using
-
artificial intelligence for multiple
-
things in cyber security since
-
2017 and we are also using Quantum
-
Computing Quantum Computing is not not
-
coming quantum computer is in use in the
-
US government for years now so we are
-
using Quantum Computing for years there
-
are multiple ways to decrypt the data
-
when the encryption key is not available
-
multiple ways multiple applications as
-
well that help with the process it's
-
very time consuming but there is a
-
possibility for that and this is a great
-
question because the question is okay
-
how about the hard drive is encrypted
-
there is nothing that I can do right no
-
this is not like that there is always
-
ways to decrypt the data always it
-
doesn't matter how strong the encryption
-
is but you need to have the appropriate
-
tools of place for example I'm going to
-
mention just one in case when I present
-
this some tools that I suggest before I
-
said that in case is very expensive in
-
case do magic between quotation man in
-
case do multiple things that we don't
-
learn in the school
-
okay so I can see the other question
-
here how to adapt to investigation in
-
the cloud since the clouds provided do
-
not allow most of important operation to
-
access media when you have to do a case
-
or conduct digital forensic in the cloud
-
the cloud providers 99% of the time I
-
don't want to say 100 because I don't
-
want to risk on that but usually the
-
cloud providers include in the SLA in
-
the service level agreement what is
-
going to happen if a digital forensic or
-
any kind of Investigation needs to do
-
needs to be performed in the cloud space
-
so most likely the cloud operator is
-
going to facilitate access to everything
-
you need sometime you have to move and
-
go physically to the place in which the
-
data is
-
host don't believe that the cloud
-
provider doesn't know where the data is
-
host we know where the data is host
-
specifically I have been in San Diego
-
California and another States in Hawaii
-
back in
-
2019 as well doing forensic
-
investigation in a cloud environment it
-
was actually for something government
-
related and I was given the permission I
-
need to do any kind of Investigation so
-
Cloud providers facilitate forensic
-
analysis because forensic analysis are
-
usually related to legal cases there are
-
multiple cases in which in USA we don't
-
have access to this data and I'm going
-
to mention an example Tik Tok Tik Tok
-
the problem between the US government
-
and Tik Tok is that when Tik Tok get the
-
authorization to operate in USA the
-
government was one step behind behind
-
Okay and we don't regulate Tik Tok at
-
this point Tik Tok has the ability to
-
prevent forensic investigation in the
-
Tik Tok platforms for the US government
-
cour system or legal system okay but
-
again usually Cloud providers facilitate
-
investigation in the cloud 100% they
-
cooperate in every single manage they
-
have to facilitate the forensic
-
investigation thank you for answering
-
that question uh we'll take last
-
question for the day uh what is the best
-
open source free tools for social media
-
forensics there is no best open source
-
tool that is a combination of tools
-
number one digital forensic cannot be
-
performed categorically speaking with
-
one or two tools this is a complex time
-
consuming and expensive process I made
-
some suggestions it's included in the
-
slide ER let me see a slide
-
slide
-
number
-
16 okay this is the slide in which I
-
include in case autopsy the S some of
-
them are upper cases as I I'm sorry open
-
source as I mentioned before but there
-
is not a particular tool or two or three
-
tools that I will recommend because in
-
top of that every single forensic
-
investigation is about the different
-
process you cannot use the similar tools
-
this is why there are very at least in
-
USA very small amount of organizations
-
companies that specialize in digital
-
forensic as my company does the reason
-
why is because between many other things
-
lack of expertise and
-
expenses okay so I do not recommend a
-
particular tool instead the combination
-
of tools there are multiple open source
-
I mention a few in a slide number 16 of
-
my PowerPoint presentation but again
-
those are not sufficient those are the
-
most popular and
-
strong ER more accurate uh tools that
-
you can use for digital forensic but a
-
particular tool one or two to do
-
forensic investigation it doesn't exist
-
is impossible
-
doesn't thank you again to our wonderful
-
speaker Dr Lewis for answering those
-
questions and for the great presentation
-
and knowledge shared with our Global
-
audiences it was a pleasure to have you
-
with us and we are looking for more and
-
more sessions with you before we
-
conclude the webinar Dr LS would you
-
like to give a small message to our
-
audiences
-
please well no just want to thanks
-
everybody again the one that work
-
tiously behind the presentation to you
-
in e Council as always thank you very
-
much for the support for all the
-
attendees I hope you learn something new
-
let me clarify that every single content
-
wording words Etc that I have been
-
presenting for you is my original
-
creation 100% not
-
99.99 but 100% categorically speaking
-
and I put together those notes and
-
reflection for you guys with the hope
-
that you can come back to your
-
organization and ser better that you can
-
become a public servant
-
ER and go to the court and testify in
-
favor of the park that deserve your
-
benefits and I sincerely thank you for
-
the opportunity to share my expertise
-
with you guys have a nice weekend okay
-
thank you very much for the time in
-
question thank you so
-
much thank you so much Dr Louis for your
-
message before we end the session I
-
would like to announce the next cyber
-
talk session why are strong foundational
-
cyber securities skills essential for
-
every IT professional which is scheduled
-
on November 8 2023 this session is an
-
export presentation by Roger Smith
-
director car Managed IT industry fellow
-
at Australian Defense Force Academy to
-
register for this session please do go
-
visit our website
-
www.ccu.edu cybert talks the link is
-
given in the chat section hope to see
-
you all on November 8th with this VN the
-
session with this you may disconnect
-
your lines thank you thank you so much
-
Dr leis pleasure having you
-
likewise thank you very much for the
-
opportunity thank you have a good day
