-
Hello, everyone, and welcome to today's
-
session on digital forensics: best practices
-
from data acquisition to analysis. I'm
-
Shilpa Goswami, and I'll be your host
-
for the day. Before we get
-
started, we would like to go over a few
-
house rules for our attendees. The
-
session will be in listen-only mode and
-
will last for an hour, of which the
-
last 15 minutes will be dedicated to Q&A.
-
If you have any questions during the
-
webinar, for our organizers or
-
speakers, please use the Q&A window. Also, if you
-
face any audio or video challenges, please
-
check your internet connection or you
-
may log out and log in again. An
-
important announcement for our audience:
-
we have initiated CPE credit
-
certificates for our participants. To
-
qualify for one, attendees are required
-
to attend the entire webinar and then
-
send an email to cyber talks at eccouncil.org,
-
after which our team will
-
issue the CPE certificate. Also, we would
-
like to inform our audience about the
-
special handouts. Take a screenshot of
-
the running webinar and post it on your
-
social media, LinkedIn or Twitter, tagging
-
EC Council and Cyber Talks. We will
-
share free handouts with the first 15
-
attendees. As a commitment to closing the
-
cybersecurity workforce gap by creating
-
multi-domain cyber technicians, EC Council
-
pledges $3,500,000 towards ECT
-
Education and Certification Scholarships
-
to certify approximately 10,000 cyber
-
professionals ready to contribute to the
-
industry. Did you know that you can be
-
part of the lucrative cybersecurity
-
industry? Even top companies like Google,
-
Microsoft, Amazon, IBM, Facebook, and Dell
-
all hire cybersecurity professionals.
-
The cybersecurity industry has a 0%
-
unemployment rate. The average salary
-
for an entry-level cybersecurity job is
-
about $100,000 per year in the United
-
States. Furthermore, you don't need to
-
know coding, and you can learn from home, and
-
you get a scholarship to kick-start your
-
career. Apply now. EC Council is pledging
-
a $3,500,000 CCT scholarship for cybersecurity
-
career starters. Scan the QR
-
code on the screen to apply for the
-
scholarship. Fill out the form.
-
Now, about our
-
speaker Dr. Luis. Dr. Luis Noguerol is the
-
Information Systems Security Officer for
-
the U.S. Department of Commerce, NOAA,
-
where he oversees the cybersecurity
-
operation for six states in the
-
Southeast Region. Dr. Luis is also the
-
President and CEO of the Advanced
-
Division of Informatics and Technology,
-
Technology INC, a company that focuses on
-
data recovery, digital forensics, and
-
penetration testing. He is a world-renowned
-
expert in data recovery, digital
-
forensics, and penetration testing. He
-
holds multiple globally recognized
-
information technology and cybersecurity
-
certifications and accreditations
-
and is the recipient of multiple awards
-
in technology, cybersecurity, and
-
mathematics. He currently serves pro bono as
-
an editorial board member and reviewer for the
-
American Journal of Information Science
-
and Technology, and is a member of the
-
prestigious high-edging professor program for
-
undergraduate and graduate programs at
-
multiple universities in the U.S. and as a
-
reviewer for the doctoral program at the
-
University of Karachi in Pakistan. He is
-
the author of multiple cybersecurity
-
publications and articles, including Cybersecurity
-
Issues in Blockchain: Challenges and
-
Possible Solutions. He is also one of
-
the co-authors and reviewers of the
-
worldwide acclaimed book, Intrusion
-
Detection Guide.
-
Prior to obtaining his doctorate
-
degree in Information Systems and
-
Technologies from the University of
-
Phoenix, Dr. Luis earned a Bachelor's in
-
Science and Radio Technical and
-
Electronic Engineering, a
-
Bachelor of Science in
-
Telecommunications and Networking, and a
-
Master of Science in Mathematics and
-
Computer Science.
-
Without any further delay, I will
-
hand over the session to you, Dr. Luis.
-
Thank you very much. Thanks. Okay.
-
Good morning, everybody. Good afternoon, and
-
good night, depending on the specific
-
area in which you reside. We are going to
-
have an interesting conversation today
-
about digital forensic best practices
-
from data acquisition to analysis. This
-
is the title of the presentation or
-
subject, and I’m more than happy to be
-
here with you all and share some of
-
my expertise. So, let's go ahead and start the conference,
-
okay? She already mentioned
-
some of my credentials.
-
I have been working in cybersecurity
-
at this point for over 41 years.
-
This is in my DNA, a topic that I didn’t
-
like and respect as much as I cannot
-
talk about any other topic in my life.
-
Before we go, I have here a statement that
-
I put together for you, okay? Digital
-
forensic best practices. Well,
-
consideration number one: just to break
-
the ice in the labyrinth of
-
cyberspace, where shadows dance through encased
-
passages and data whispers its secrets, the
-
digital detective emerges. This is us, the
-
digital forensic experts. Clad in lines of
-
code and armed with algorithms, we seek
-
the hidden treasures of truth and
-
solving enigmatic cybercrimes. With a visual
-
magnifying glass, this is what we do: we
-
dissect the digital tapestry,
-
unveiling the footprints of elusive
-
cyber cultures. This is what cyber forensics, or
-
digital forensics, is about. Each keystroke and
-
pixel holds a clue, something that we can
-
use in our favor. And in this mesmerizing
-
world of the digital era, ones and zeros,
-
the art of digital forensics is about
-
finding the secret of the digital reality. Digital
-
forensics is about finding evidence
-
that can lead to a particular process. It
-
can be a legal process, or it can be any
-
other kind of process. But what is
-
digital forensics from my point of view?
-
Well, I mentioned earlier that I've
-
been working in cybersecurity for 41 years.
-
My specialties are in penetration
-
testing, data recovery, and digital forensics.
-
I’ve been working for the
-
police department in multiple places
-
doing digital forensics for them. So I try to
-
put together an easy definition for you from my
-
standpoint about what digital forensics
-
is. Digital forensics investigates digital
-
devices and electronic data to use as
-
evidence. Please note that I don’t say
-
electronic information; I use the word "data"
-
intentionally to understand digital events
-
and trace illicit activities. This is a key
-
component of digital forensics. Normally
-
speaking, digital forensics happens, of
-
course, after the facts, and the idea of
-
digital forensics is identifying traces,
-
okay, that lead to particular data that
-
we can gather together and make a
-
conclusion. It involves the systematic
-
collection, preservation, analysis, and
-
presentation of digital evidence in
-
legal proceedings. This is key
-
today because we are technology-dependent,
-
and there are multiple states,
-
at least in the USA and some other countries,
-
where digital forensics is still in
-
limbo because it's not accepted in the
-
court of law. Okay. So, this is very
-
important to keep in mind. What are we
-
going to do from the digital forensics
-
standpoint, the data collection process,
-
and the analysis? Digital forensics
-
experts use specialized techniques and
-
tools to extract data from computers,
-
smartphones, networks, and digital storage
-
media to support investigations and
-
resolve legal matters. So this is
-
basically what digital forensics is
-
about. Let's go ahead and start with the
-
technical part, which is the topic I like
-
most. Okay, let's talk about those
-
30 best practices that I’ve put
-
together for you. At the end of the
-
presentation, you will have the
-
opportunity to ask as many questions as
-
you like. 1. You have to
-
follow the legal and ethical standards:
-
For this particular first point, I am not
-
going to make any comment. I believe that
-
ethics is a key component
-
of cybersecurity. We always
-
have to follow the rules. We must always
-
follow the legal procedures in the
-
places in which we operate because every
-
single place is a different component.
-
2. Understand the original evidence:
-
This is key. Okay. You always have to
-
maintain the integrity of the original
-
evidence to ensure it is admissible in
-
court. Any kind of manipulation
-
or modification will result in
-
disqualification from the court system.
-
Document everything: This is something
-
that technical people like me don’t
-
like too much, but when it comes to
-
digital forensics, we have to document
-
every single step we take. We have to
-
record all the steps we
-
follow, and we want to make sure that
-
everything is documented and recorded in
-
a specific chronological order. This is
-
a key component for digital
-
forensics or investigations to be accepted
-
in the court of law. Secure the scene:
-
It’s not just physical
-
crime scenes that need to be secured to prevent
-
contamination or tampering.
-
If you present anything in court and
-
the opposing party
-
has the ability to prove that
-
something was not preserved, the
-
conversation is over. Chain of custody:
-
I’m going to repeat this more than
-
once during the presentation. Sorry.
-
Chain of custody refers to how you
-
establish and maintain
-
the evidence and the process
-
that facilitates how the
-
tracking process is handled. Use-Write-
-
Blocking Tools: This is another key
-
component of digital forensics. It means
-
that you have to use the appropriate
-
hardware and software that allow for
-
write blockers when you are collecting
-
data to prevent alteration. There are a
-
set of tools you can use, and at the end
-
of the presentation, I’m going to provide
-
you with a specific set
-
of tools you can use as write-blocking
-
tools. Verify hashing or hash
-
values. This is how you calculate and compare
-
hash values to verify the data's integrity.
-
There is often confusion about integrity,
-
confidentiality, and availability. In
-
digital forensics, the most important
-
component is integrity. It means that we
-
must make every effort to
-
ensure that the data is not modified in
-
any possible way, from the time we
-
arrive at the scene
-
to the time we present the evidence
-
in court and even after that as well. So
-
other component is Collect volatile data
-
first. Okay, this obviously makes perfect
-
sense. You have to prioritize this
-
type of data collection as it can be
-
lost or modified when the system is
-
powered down. For many of you, what I’m
-
going to tell you may
-
sound not appropriate, and this is the
-
following assessment:
-
we've been told from the time we
-
arrived at school and even at work
-
that information or data in random access memory (RAM) disappears when the
-
computer is shut down. Back in 2019,
-
I made a presentation similar to
-
this one for this account, in
-
which I proved that the data in RAM
-
can be recovered. Okay. So, what we have been
-
learning in multiple places, and what you can
-
easily find on Google, that data in RAM
-
is lost when
-
computers are powered down, is not
-
exactly correct. The other component is
-
Forensic image. You have to create a
-
forensic image of storage devices to
-
work with copies. You must always
-
present the original evidence. This is a
-
requirement in the court of law. You must
-
present the original evidence every single
-
time. The other component is the Data
-
recovery. Data recovery is closely
-
associated with digital forensics for
-
obvious reasons. Okay. You have to
-
employ specialized tools to recover
-
deleted or hidden data. This is also
-
something to keep in mind. At the end,
-
I'm going to provide some specific
-
applications you can use to do data
-
recovery.
-
Timeline analysis: You must construct
-
and analyze timelines to understand the
-
sequence of events. What happened first? The
-
chronological order is a mandatory
-
requirement in the court of law. You
-
cannot present evidence in court
-
in a random manner. You have to
-
follow the specific chronological order.
-
The other consideration is Preserving
-
the metadata. Ensure metadata integrity
-
to verify results, timing, and
-
authenticity of the digital artifacts you
-
are going to present in the court of law.
-
Use known good reference data: This
-
means you have to compare the
-
collected data with known
-
good reference data to identify
-
anomalies, specific patterns, and
-
statistical processes. Many times, you have
-
to do this as well. Antiforensic
-
awareness: You have to be aware of the
-
antiforensic techniques in use.
-
There are multiple applications
-
that work against digital forensics. So,
-
you must be aware of that. Before
-
you start digital forensics analysis,
-
while working on the data collection
-
process, you want to make sure you
-
don't have any anti-forensic
-
tools or applications installed on the
-
particular host or hosts in which you are
-
going to conduct the investigation. Another
-
very important component is Cross-validation.
-
This is what brings actual
-
reputation and respect to the data you
-
are presenting in the court of law. Okay?
-
So the standard operating procedures are a
-
very important component that is oftentimes
-
overlooked, and it's about
-
developing and following SOPs that
-
maintain consistency. This is
-
why documentation is key, and it was
-
presented in slide number one. Training
-
and certification are also important components, and
-
this is relevant. The reason why it's
-
relevant is that I understand you can learn
-
many things by yourself. This is becoming
-
more popular as we become more
-
technology-dependent. This is normal
-
and expected, but certifications still
-
hold particular value. There are
-
multiple questions in certification
-
exams, in general terms, not only in EC-Council
-
certifications or others, in which,
-
most likely, if you don't go through the
-
certification process, you will never
-
find out. And this is what
-
some people say: "Well, this is
-
theoretical information." Digital forensics
-
involves a lot of theoretical information--
-
A LOT. Remember that we are doing the
-
analysis at a low
-
level, from the technical standpoint. So
-
theory is extremely important and
-
relevant when we do forensic
-
investigations--digital forensics. The same
-
happens with medical doctors. When
-
medical doctors do a forensic
-
analysis of a body of someone who
-
passed away, they also employ a lot of
-
theoretical knowledge they have been
-
accumulating. Digital forensics is no
-
different.
-
The other consideration is expert
-
testimony. Okay? I, for example, live
-
in Miami, Florida, in the USA, and I am one of the
-
11 experts certified by the legal system
-
in the 11 districts. This means that when you
-
go to court, you have to be
-
classified as an expert in order to
-
provide comments and evidence. Otherwise, you will
-
probably not be able to speak in court,
-
as what we say
-
in court is relevant for the case.
-
And with our wording or statement,
-
along with the evidence we provide, we have
-
the ability to put somebody in jail or
-
release this person from jail.
-
So, this is extremely important. Okay? So,
-
evidence storage is one of the most
-
important components. Your opponent in
-
court or in your company will try
-
their best to challenge what you
-
are presenting. So, you have to safely
-
store and protect evidence to maintain
-
its integrity. Integrity is the most
-
important characteristic or
-
consideration in digital forensics--
-
without any other factor coming close. So, integrity
-
is everything in digital forensics. Okay?
-
Data encryption: There are multiple cases
-
in which you will do digital
-
forensics on encrypted storage devices,
-
encrypted data, or encrypted
-
applications. You need to develop the
-
ability to handle encrypted data
-
and understand the encryption methods.
-
Among the publications I have, I have
-
over 25 publications on different
-
topics and concepts within security. A
-
few of them, probably five or six, are
-
specifically about encryption. If we want
-
to do digital forensics, we must become
-
data encryption experts. There is no other
-
way. I understand that many people
-
don’t like math, statistics, physics, etc.,
-
but this is a requirement for doing an
-
appropriate digital forensic assessment.
-
It’s a necessity today. Okay? The other
-
consideration, and this is for the people
-
who love technology like me attending
-
or watching this conference, is network. I
-
am a big fan of networks. I have been
-
working in networking for 41 years.
-
My doctoral degree is in
-
telecommunications and cybersecurity. So,
-
networking is in my DNA. I love networking more than
-
any other topic in information
-
technology. Network analysis is the
-
ability to analyze network
-
traffic logs and data to trace digital
-
footprints. I’m pretty sure
-
everyone has a tool of mine, and, of course,
-
this tool is most likely part of the
-
tools I’m going to
-
provide in the last slide for you.
-
But network analysis today, from a
-
digital forensics standpoint, is
-
everything. Everything is network-related in
-
one or another way. Malware analysis: We
-
need to develop the ability to
-
understand malware behavior and analysis
-
and how those malwares impact systems.
-
This needs to be incorporated as part of
-
the cybersecurity analysis when
-
performing digital forensics today. Cloud
-
forensics: I don’t have to highlight how
-
important cloud operations are. Okay? We are
-
moving operations to the cloud, and
-
for those still
-
running operations on-premises, there is
-
a high expectation that sooner rather than
-
later, you will move operations to the cloud for
-
multiple conveniences. However, the
-
configuration at this point does not fully
-
benefit all aspects of the cloud. From
-
a forensic standpoint, when you do
-
cloud forensics, the situation is a little
-
different from
-
on-premises investigations. So, you have to
-
adapt methodologies for investigating
-
data in the cloud, regardless of the
-
cloud provider. Here, as a matter, you can see
-
AWS, Google, Azure, or anyone else.
-
The operation in the cloud is somehow
-
different from a digital forensics
-
standpoint, starting with how you
-
access the data.
-
Remote forensics: Remote forensics is the opportunity
-
to develop skills for collecting and
-
analyzing data from a remote location.
-
This is happening more frequently now as
-
we become more telework-dependent.
-
In multiple cases--my own company, for example, knowing my
-
job with the government, but owning my own
-
company--I have been doing more remote digital forensics in the last
-
two, three years, probably two years.
-
Digital forensics that
-
than probably ever before in my life. So, this
-
is an important skill to develop as well.
-
Case management: This is how we use
-
digital forensics case management to
-
organize and track investigations. I mentioned to
-
you that I go to court very often--more
-
often than I want, very, very often.
-
Okay. And they scrutinize every
-
single protocol you present, every single
-
artifact, every single document, and the
-
specific chronological order. This is a
-
complex process. It’s not just collecting
-
the data, performing the digital forensics
-
analysis, and going to court to testify.
-
Okay? The process is much more
-
complex than this.
-
Collaboration: Collaborate with other
-
experts and there's one in the middle
-
that I'm going to highlight in a few.
-
Collaborate with other experts, law
-
enforcement, or organizations for complex
-
cases. Cases are different from one another.
-
Of course, this is okay, and I know you
-
know that. Okay? But you have some cases
-
sometimes in which the forensic analysis
-
becomes very complex. In those particular
-
cases, my advice is to collaborate with
-
others. Okay? You do better when you work
-
as part of a team and not when you work
-
independently. I’ll skip the data
-
privacy compliance for a minute because
-
this is relevant. Every single state,
-
every single... No
-
exception. A state court operates on the
-
different requirements. So, you want to
-
make sure that you follow the privacy
-
regulations in your specific place. Okay?
-
And by the way, I'm going to ask you a
-
question. I'm not expecting any response.
-
But the question is: by any chance, do you
-
know the specific digital forensic
-
regulations in the place you live? Ask
-
yourself this question, and probably some
-
of you are going to respond "no." This is a
-
critical thing. Continuous learning: You
-
need to keep asking about what we do. Okay?
-
Cybersecurity is an specialization of IT. From
-
my point of view, it's the most fascinating
-
topic in the world. This is
-
the only topic I can talk about
-
for 25 hours without drinking water.
-
This is my life. I dedicate multiple
-
hours every single day, seven days a week,
-
even when it creates some personal
-
problems with my family, etc. This is in
-
my DNA. I encourage each of you, if you
-
are not doing so, to dedicate your life to
-
become a digital forensics expert. Digital
-
forensic is one of the most fascinating
-
topics in the planet. Okay. And you want
-
to be attentive to these type of things.
-
Report and presentation: When you go to
-
the court or when you present your
-
outcomes of all the digital forensic
-
outcomes to your organization, you want
-
to make sure that you use clear
-
language, you are concise, and you are
-
ready for the presentation questions and
-
answers. You never want to go to the
-
court unprepared. Okay? Never in your
-
life. This is not appropriate because, at
-
the end your assessment, you have the
-
possibility to put somebody in jail or
-
somebody will be fired from the
-
organization or not. So what we said is
-
relevant. Our wording has a huge impact
-
in other people's lives. It's important
-
to be attentive to that. One of the most
-
relevant topic that I have been using in
-
my practice is the use of artificial
-
intelligence in digital forensic. Since
-
2017, this is not a topic that is well
-
known. At this point, the reason why I
-
really want to share my experience--
-
practical experience with you guys,
-
digital evidence analysis, how artificial
-
intelligence can help us. Well, everybody
-
knows that we have multiple applications
-
that we can use in order to analyze
-
the different kind of media that can be
-
generated. For example, text, image, and
-
videos, artificial intelligence studies
-
have the ability to detect and flag
-
potential relevant content for
-
investigations, especially from the
-
timing standpoint. Digital forensic is
-
extremely time consuming, very, very
-
time consuming and complex. This is
-
probably along with data recovery the
-
most complex specialization in
-
cybersecurity. So the use of artificial
-
intelligence, in our favor, is very
-
convenient. And at the end, I'm going to
-
include as well or actually I included
-
in the list a particular artificial
-
intelligence tool that you can use in
-
your favor. The other use of artificial
-
intelligence is pattern
-
recognition. Artificial intelligence can
-
identify patterns in data, helping
-
investigators recognize anomalies or
-
correlations in digital artifacts that
-
may indicate criminal activity.
-
Out of the whole sentence, the most
-
important question is: "What is the key word?" The key word,
-
correlation. How do we correlate data by
-
using artificial intelligence? The
-
process is going to be simplified
-
dramatically. Speaking based on my
-
personal experience, the other component is
-
NLP. This can be used to analyze
-
text-based evidence, including logs
-
and emails, to uncover communication
-
patterns or hidden minutes. A lot of
-
evidence that we collect, about
-
65%, is included in emails, chats,
-
documents, etc., so this is when NLP plays
-
a predominant role in artificial
-
intelligence in the digital forensic
-
analysis for image and video analysis. It provides
-
incredible benefits. Okay? You have the
-
ability to analyze multimedia
-
content to identify objects, people, and
-
potentially illegal or
-
sensitive content. I’m sure a word
-
is coming to your mind right now, steganography.
-
Yes, this is part of steganography, but it's
-
not similar to doing steganography by using a
-
particular application. When you
-
employ artificial intelligence tools
-
that are dedicated exclusively to
-
digital forensics, the benefit is really
-
awesome. Predictive analysis: Machine
-
learning models can predict potential
-
areas of interest in an investigation,
-
guiding forensic experts to focus on
-
critical evidence. Imagine that you are
-
analyzing a hard drive that is one
-
terabyte holds a lot of
-
documents, videos, pictures, sounds, etc. You
-
know that, right? If you are
-
attending this conference, it’s because you
-
are very familiar with information
-
technology, cybersecurity, and digital forensics.
-
Well, how do you find the specific data you
-
need to prove something in a court of
-
law? You have to be very careful
-
about the pieces of data you pick for
-
the analysis, otherwise, your
-
assessment is not appropriate. And again,
-
every single word we say in a court
-
of law or in the organization we
-
are working for is relevant. It implies
-
that probably somebody will be in jail
-
for 30 years, or probably somebody, if we’re
-
talking about a huge crime like an
-
assassination or child pornography abuse,
-
will face consequences like death. Our
-
assessment is critical. Okay? We become
-
the main players when
-
digital forensics is involved. We have to
-
be very careful about the way we do it.
-
This is not a joke; it's very serious. Okay?
-
Predictive analysis, machine learning
-
models, or artificial intelligence are
-
pretty close in this concept and can predict
-
potential areas of interest in an
-
investigation. But we also talk about
-
detection. Artificial intelligence
-
driving security tools can identify
-
cyber threats and potential cybercrime
-
activities, helping law enforcement and cybersecurity
-
teams respond effectively and
-
proactively. More importantly, the
-
majority of us have multiple tools that
-
we call proactive
-
in our place of work. Okay? We
-
have different kinds of monitors, etc. But
-
the possibility to do something in a
-
proactive mode is really what we want.
-
Evidence authentication: Artificial
-
intelligence can assist in the
-
authentication of digital evidence,
-
ensuring its integrity and the
-
possibility of this data being admitted
-
in court. Data recovery: Artificial
-
intelligence helps with the recovery of
-
data that has been deleted
-
intentionally or unintentionally. It
-
doesn't matter. When we do digital
-
forensics, we want to have as much data as
-
we can to make a case
-
against a particular party. From the
-
malware analysis standpoint,
-
artificial intelligence brings a lot of
-
speed, and this is needed because, again,
-
you are looking for a needle in a ton of
-
water or in a ton of sand, and this
-
is very complex. From the network
-
forensic standpoint, we are accustomed to
-
using tools such as Wireshark, which everybody
-
knows, well, anyway,
-
there are now specific artificial
-
intelligence tools for network forensic
-
analysis. I have included two of
-
those tools in the list on the last
-
slide. Automated trace: This is one of the
-
most important considerations for you to
-
consider with artificial intelligence in
-
digital forensics. Speed is key. It’s basically
-
the ability to do
-
correlation between large data sets. Case
-
priority: Artificial intelligence can
-
assist investigators in
-
prioritizing cases based on factors like
-
severity, potential impact, or resource
-
allocation, meaning timing.
-
Predictive policing: This is super important
-
because, until today, digital forensics has
-
always been reactive. We react to
-
something that happened. The possibility to
-
make predictions in digital forensics is
-
fantastic. It has never happened before.
-
This is new, at least for me. I started
-
using artificial intelligence back in my own
-
company in 2017, and I have been able to
-
that in
-
multiple cases for the police department
-
in Miami and in other two cities in
-
Florida: Tampa and St. Petersburg. The
-
results have been amazing. Document
-
analysis: You know that NLP can extract
-
information from documents and analyze
-
sexual content for investigations.
-
Artificial intelligence dramatically minimizes
-
the time needed for that.
-
Emotional recognition: Everybody
-
knows what happened with the DSP
-
algorithms. Okay? So we can use artificial
-
intelligence to analyze videos,
-
which is awesome because our eyes, our
-
muscles in our eyes, don't have the
-
ability to lie. We can lie when we speak,
-
or we can try, but our eyes’ reactions
-
to a particular stimulus cannot be hidden
-
or cannot be modified. So this is unique.
-
From the data privacy and compliance standpoint, you
-
also have the ability to
-
automate the specific data you want to
-
include as part of your report. Okay? Now,
-
digital forensic data acquisition steps:
-
From my standpoint, after 41 years of experience,
-
preservation--we already talked about this.
-
Documentation: Preservation is integrity.
-
Okay? This is the most important
-
consideration, categorically speaking, in
-
any kind of digital forensic
-
investigation. You have to preserve the
-
data as it is. And remember, you never use
-
the original data for your forensic
-
analysis—-never. You always use a copy. And
-
to do copies, you have to use bit-by-bit
-
applications. Bit-by-bit—you cannot
-
copy bytes, or you cannot copy data
-
and forget about the information. So,
-
preservation is the most important thing.
-
Documentation: We already know that
-
everything needs to be documented, okay?
-
From the crime scene to the
-
last point. Chain of custody: One more
-
time, and I guess I’m going to
-
mention this one more time because chain
-
of custody means or opens the door for
-
you to present a case in the court of
-
law or to prove, in
-
your organization, that what you
-
are presenting is appropriate. You have
-
to plan how you are going to collect the
-
data. You have to plan with anticipation.
-
The specific tools you are going to use.
-
What methods are you going to consider?
-
In your data collection process, this is
-
relevant, and you always have to consider it.
-
The comms. Comms is probably more important
-
than PR when you select or decide to
-
use a particular application for
-
data acquisition. You always want to
-
focus on the negative. People usually
-
tend to talk about the positive--oh, I
-
like why the Shar because this and that. I
-
It's better that you focus on the
-
negative. In Information Technology,
-
everything has a cross and comes; no
-
exceptions. Exceptions do not exist. There
-
is not one exception. Everything positive
-
has something negative in Information
-
Technology, and this is what you want to
-
focus on to avoid problems in the end.
-
Okay, so...
-
How about the verification process? You
-
have to verify, before you work with the
-
real data, that the tools and methods you
-
selected work. Okay? You never want to
-
mess up with the original data. You need to work
-
with a copy. You want to test in a test
-
environment: your tools, your methods, your
-
approach. The steps you are going to
-
follow are very time-consuming. It is, but
-
by the way, it's also very well-paid. It's
-
very well-paid. The only thing I can tell
-
you is that it's very well-paid. You have no
-
idea. If you become a cybersecurity
-
expert and specialize in digital
-
forensics, this is where the money is, and
-
trust me, this is where the money is. Okay,
-
I'm telling you from first person. Duplication--
-
we've talked about that already. The only way
-
to do that is by creating a bit-for-bit
-
image. There are no other ways. Okay, this
-
is why you want to use PR blocking
-
devices, software, and hardware. I
-
mentioned that before. Text rooms and
-
hashing--different concepts that some
-
people are still confused about. Okay?
-
There is a huge difference between the
-
two. The main one is that hashing is a
-
one-way function. You go from the left to
-
the right, and usually, you don't have the
-
ability to come back to replicate the
-
process. Of course, if you have the
-
algorithms on hand, then you can do
-
reverse engineering. This is obvious, but
-
this is not what happens under regular
-
conditions. Okay, so checksum and
-
hashing both minimize the possibility
-
that you make a mistake in your digital
-
forensic analysis.
-
The other component is
-
acquisition. Okay, so how are you going to
-
collect the data? What particular tools
-
are you going to use? You always have to
-
maintain strict R-only access to the
-
source. If you have the ability to
-
manipulate the data in the source, you
-
have the ability to tamper with it. Actually,
-
the most important consideration out of
-
the CIA, which is integrity, if the
-
opponent is the opposite part to you in
-
your organization, the defendant, in other
-
words, has the ability to prove that
-
the original data or source can be
-
manipulated in any way, the conversation
-
is 100% over, and the case will be
-
dismissed. Categorically speaking, there's no
-
more conversation. So this is a humongous
-
responsibility when it comes to data
-
acquisition. What protocols you use, what
-
the specific tools are, how you plan it, and
-
how you document it is a very painful
-
process, in other words. Okay, now data
-
recovery--we already talked about the
-
complexity of finding a needle in a ton
-
of S. This is super complex, okay? But it's
-
doable. The only thing you have to do is use
-
the appropriate tools, and you need
-
to have a specific plan because every
-
single case is 100% different. Digital
-
signatures sign the acquired data and
-
hash it with a digital signature for
-
authentication. There are multiple cases
-
today in which digital signatures are not
-
accepted anymore. In the government, I
-
am a federal officer for the U.S.
-
Department of Commerce in the USA. In the
-
government, we are not allowed to sign
-
anything by hand for many years back.
-
Many years, okay? Digital signatures have
-
a specific component that minimizes,
-
dramatically speaking, the possibility of
-
replication, and this is why this is
-
accepted in a court of law.
-
Verification verifies the integrity of
-
that acquired image by comparing hash values
-
with those calculated before. The hash
-
values must be exact. No difference, not
-
even by
-
0.001%. Much, 100%
-
categorically speaking. Otherwise, the
-
court is going to dismiss the case as
-
well, or the organization probably isn't
-
going to take the appropriate action versus
-
a particular individual or problem or
-
process. Okay, LS and no--we already talked
-
about documentation at the beginning. You
-
have to actually make sure that
-
everything is timestamped. As I mentioned
-
before at the beginning, digital forensics
-
must be collected in a particular order,
-
analyzed in a similar manner, and
-
presented in the report in the specific
-
order in which the process was done.
-
Otherwise, the process is going to be
-
disqualified, and this is exclusively at
-
this point our responsibility, and
-
nobody else’s. Okay, the storage--we already
-
know that chain of custody is one of the
-
most important components. There are
-
multiple forms depending on the state in
-
which you live and the countries as well,
-
that you have to follow. Anything--if you
-
miss a check mark or if you put a check
-
mark on those particular forms--you are
-
basically dismissing the case. You
-
intentionally... the court doesn’t work in
-
the way many of us believe. Okay, we have
-
the possibility to put somebody in the
-
electric chair or to release or provide
-
this particular individual or
-
organization what we said is relevant.
-
Okay? This is very important. The brief--
-
you always have to be in
-
communication with all parties, both the
-
one presenting the digital process or
-
ruling the process and the other party as
-
well. You cannot hide anything--Zero--from
-
your opponents in the court of law or
-
for the defendant's part. Never in your
-
life. This is why the first bullet in the
-
whole presentation was, as you may
-
remember, ethics. Okay, in digital forensics,
-
we provide what we know to the other
-
parties as well, even to the defendant, to
-
the opponents, every single time. No
-
exception. And we provide every single
-
artifact with the most clear possible
-
explanation to the opponents. This is how
-
the digital forensic process works.
-
Otherwise, it will be dismissed as well
-
in court. Steing, you have to make
-
sure that every single piece of digital
-
evidence is
-
properly stored and that you follow the
-
process by the book. Again, if you skip
-
one step, just one out of 100 or 200s
-
depending on the case, the case is going
-
to be dismissed. No exceptions. The code
-
goes by the book, as you can imagine, and
-
your opponent is going to be very
-
attentive to the minimum possible
-
failure to dismiss the case. Okay, so how do
-
you transport the data from one place to
-
the other place? Chain of custody--this is
-
the key component. Chain of custody, data
-
encryption--you have to make sure that
-
you prevent, or actually, pro-prevent
-
integrity manipulation, and you always
-
want to ensure the confidentiality of the
-
data (CIA). We already talked about the
-
components: confidentiality, integrity, and
-
availability. From the digital forensic
-
standpoint, the most important--no
-
exception--is integrity, and also
-
confidentiality. Okay, so from the
-
recovery image standpoint, you always
-
want to have a duplicate for validation
-
and reanalysis. Remember that you
-
always want to work with a copy of the
-
digital evidence 100% of the time, no exceptions.
-
You have to preserve the original
-
evidence. This is part of our
-
responsibility, and this is why we do bit-by-bit
-
analysis and bit-by-bit copy. It's
-
complex. Okay, now a specific step in
-
digital forensics is to analyze the
-
collected data. At this point, you already
-
went through multiple processes and spent
-
a lot of time. How do you analyze the
-
data you have? Because you are going to
-
have probably terabytes of data. Okay,
-
well, you have to make sure that hashing
-
and digital signatures and the chain
-
of custody have been followed. Data
-
prioritization--what happens and what is
-
more relevant? You cannot present in the
-
court two terabytes of data or 2,000
-
pages. This is irrelevant for the case.
-
Okay, you have to make sure that you use
-
keywords in order to provide a solid
-
report to the court for this particular
-
case. For the keywords, artificial
-
intelligence has been proven to be
-
of huge help. File carving--you have to
-
use a specialized tool to recover files
-
that may have been deleted or are
-
intentionally hidden. Timeline analysis--
-
we talked about it. You have to do everything
-
by following a particular sequence of
-
activities. In other words, you have to
-
present and do the analysis in
-
chronological order, in the way that you
-
collect the data. This is the exact way
-
you do the analysis, and later you do
-
correlation. Okay, but you have to follow
-
a particular chronological order. Data
-
recovery--you have to do your best to
-
reconstruct the data that has been
-
deleted or probably damaged, even by
-
physical or electronic conditions in the
-
storage media. The metadata analysis is
-
also complex. Okay, this is the next
-
component after the timeline
-
analysis. Metadata includes multiple kinds
-
of data, so this part of the analysis is
-
going to be more complete and more time-consuming
-
than the data collection, and
-
the data collection is already very time-consuming.
-
Content analysis--you have to
-
be very careful because this is
-
basically what the forensic analysis is.
-
Parent recognition--how you
-
can match one bit of data with another
-
bit. Okay? Is there any association
-
between bits, between bytes, between data,
-
between words? This is an ideal
-
component. Communication analysis--again,
-
you want to make sure that you include
-
everything. Emails today are probably the
-
most relevant component of digital
-
forensics analysis. You want to make sure
-
that you master email analysis as well.
-
Data encryption--you always have to keep
-
in mind the confidentiality, and when we
-
are talking about the recovery or the
-
recovery image, I mentioned that as well,
-
similar to the chain of custody before,
-
because you always have to preserve the
-
the original data. Evidence
-
examination--you want to make sure that
-
you verify the integrity of the data you
-
have been acquiring, including hash values,
-
digital signatures, and the chain of
-
custody. We talked about this already.
-
This is a repeat of the slide, by the way.
-
Okay, so database examination--you’re
-
forgoing a duplicate slide, so this slide
-
is the same as this one. My apologies
-
for that, it's my fault. Database
-
examination--investigate databases for
-
valuable information, including
-
structured data, logs, entries, etc.
-
Media analysis--this is a very complex
-
process because it's usually about atigo or
-
includes testigo, and this is about
-
images, videos, audios, geolocation, and
-
digital signatures. Network traffic
-
analysis tools, as well as the Shar, h--but my
-
suggestion is that you use all the tools
-
that are part of the artificial
-
intelligence applications we can use
-
today and are available in the
-
market. Estigo is always complex, okay?
-
Because estigo includes not only images but,
-
in many cases, audio as well, and this is
-
very complex, time-consuming. You always
-
want to make sure that you use the
-
appropriate estigo analysis techniques,
-
and there are multiple specific techniques for
-
volatile analysis. As I mentioned before,
-
there are multiple ways to do
-
data acquisition from RAM memory. When we
-
turn off the computer, all the data from
-
RAM doesn’t go off. This is what
-
everybody says. This is what Google says.
-
This is what people who have never done
-
forensic investigations repeat. This is
-
not appropriate if you know how to do it.
-
Again, I made the presentation for EC
-
Counsel in 2019. If you Google my name and
-
this presentation, you will be able to
-
find a particular video in which I was
-
able to recover data from RAM memory
-
after the computer was taken
-
down. Believe it or not, go for the other
-
presentation that this is EC Counsel
-
Database, and you will be able to see the
-
video. Okay, comparison--you have to
-
cross-reference every single time to
-
make sure that the data you identify is
-
appropriate, and you always identify
-
deviations and inconsistencies
-
before you do the final
-
report. I told you already, when you
-
present the report in the court of law,
-
any minimum mistake, something minimal,
-
will disqualify the case. For
-
example, in this presentation, I included
-
IED by mistake. This slide and this slide.
-
If I do that in the court of law,
-
it's dismissed.
-
Okay, that's it. There's no more
-
conversation. The emotion analysis--we've
-
talked about that. We are talking
-
about persons. Digital evidence is always
-
related to people in processes,
-
applications, hardware, software. So we
-
want to make sure that what we present
-
is accurate, and from the documentation.
-
At some point, it was the second point in
-
the presentation. We have to document
-
everything. Reporting is about compiling
-
in a clear and comprehensive manner,
-
including summaries, methodologies, and
-
supporting evidence. You have to include,
-
or at least in my case, I always include
-
the recordings of everything I do.
-
Everything means even if I open my
-
personal email, or if a notification comes
-
to my computer and I open something in
-
my WhatsApp, for example, this is
-
part of the recording as well. Okay? So,
-
you have to make sure that you provide
-
an expert testimony. In order to do that,
-
you have to be an expert in digital forensics.
-
Peer review--consult with others,
-
with your partners, with the opponent,
-
with the defendant part before you
-
present. It's not that you are going to
-
modify the report because the defendant
-
doesn't like it. This is not what I'm
-
telling you; it's just that you are going
-
to provide the report. By the way, you
-
must provide the report to the defendant
-
before you go to court. By the time
-
you stand up in court, everything
-
needs to be done. The other party needs to
-
know exactly what you are going to
-
present. This is how the legal systems
-
work. Okay, with the exception of very few
-
countries, but in the world, this is how
-
it works. So, the quality assurance is just
-
making sure that what you present is
-
appropriate. The case management is how
-
you use the digital forensic
-
system to track everything in the analysis
-
process, and from the data privacy
-
compliance. I told you already that every
-
single place, every single city, and every
-
single state operates under different
-
conditions. Popular tools for digital
-
forensics: A few of those are in case
-
autopsy, Access Data, and everybody knows how to use
-
the forensic toolkit. Hway forensic,
-
celebrity volatility, WI SH,
-
everybody most likely knows, oxygen
-
forensic detective, and the digital
-
evidence forensic toolkit. Some
-
of those are included in Cali, others are
-
not. Some are open source, and others are
-
extremely expensive. For example, in case,
-
which is very, very expensive. Some
-
relevant references about digital
-
forensics: I prefer to use keywords and
-
not particular references or books
-
because I don't recommend any specific
-
book. Instead, the combination of content,
-
knowledge, and expertise is key. But some
-
words or keywords you can use if you
-
want to expand more in digital forensics
-
are: digital forensics best practices,
-
challenges, iMobile digital forensics,
-
network forensic techniques, cloud
-
forensic investigations, Internet of
-
Things forensics, memory forensic analysis,
-
because you want to stop repeating what
-
you have been learning for years. When
-
you take down the computer, when the
-
computer is turned
-
off, there is a lot of data that
-
remains in RAM memory for a particular
-
amount of time, of course. Okay, so try to
-
expand on this topic: malware analysis in
-
digital forensics, and cybersecurity and
-
digital forensics trends. Those are
-
keywords that will facilitate your
-
expansion, or help you expand on digital
-
forensics knowledge. Other
-
considerations are some particular
-
journals. Okay, in this case, I’m going
-
to risk and recommend Digital
-
Investigation, which is published by Xier. It
-
is one of the top journals in the world. The other
-
one is the Journal of Digital Forensics,
-
Security and Law and Forensic Science
-
International: Digital Investigation Report.
-
I'm open to any questions you may
-
have, and one more time,
-
I want to sincerely thank you
-
EC-Council for another opportunity
-
to talk about this fascinating topic.
-
Thank you very much to all the staff at
-
EC-Council that worked tirelessly to make
-
this presentation possible. And
-
thank you so much as well for you guys
-
attending the conference and
-
for the questions that you may ask.
-
Thank you very much, Dr. Luis, for
-
such an insightful and informative
-
session. That was really a very
-
interesting webinar, and we hope it was
-
worth your time too. Now, before we
-
begin with the Q&A, I would like to
-
inform all the attendees that EC-Council's
-
CHFI maps to the forensic
-
investigator and the consultant in digital
-
forensics. Anyone with the CHFI
-
certification is eligible for 4,000+
-
job vacancies globally, with an average
-
salary of $95,000.
-
If you're interested to learn
-
more, kindly take part in the poll that's
-
going to be conducted now. Let us know
-
your preferred mode of training, and we
-
will reach out to you soon.
-
Dr. Luis, shall we start with the Q&A?
-
Yes, I'm ready.
-
Okay, our first question is: How do you
-
prove in a court of law that the collected
-
evidence is from the same object and not
-
collected from any other object?
-
This is a very important question.
-
I really appreciate the clarification on
-
this topic. As I said, we have to be very
-
careful about the way we collect the
-
data. When we are talking about objects,
-
objects are associated with bits, not just
-
bytes, but bits. And as I mentioned
-
multiple times, when we do the copy of
-
the original data, we want to make sure
-
that we always do it bit by bit. When you do
-
bit by bit, and not byte by byte, because a bit
-
implies up to 3.4 volts in electricity,
-
we are eliminating the possibility of
-
mistakes. Objects are bigger; a bit does not
-
constitute an object. Objects are formed
-
by multiple bits. This is why we have to
-
do the analysis bit by bit, and I have
-
mentioned that multiple times.
-
Thank you for answering that
-
question. Our next question is: What kind
-
of forensic data can we obtain from the
-
encrypted data where the key is not
-
available to decrypt the data?
-
Could you please repeat the question?
-
What kind of forensic data can
-
be obtained from the encrypted data
-
where the key is not available to
-
decrypt the data?
-
You encrypt data...
-
I'll just paste the question to you
-
on chat Dr. Luis.
-
I’m not watching the chat right now.
-
Something happened.
-
I'm not watching the chat.
-
Sorry. Hello?
-
Can you hear me?
-
Yes, I can hear you. Yes, I have posted
-
the question in the chat, Dr. Luis. Okay.
-
Okay, please. Yes, I have already pasted it.
-
Okay, let me check here.
-
Okay, give me a second. Okay, what kind of
-
forensic data can be obtained from
-
encrypted data? Oh, okay. Well, this is
-
another misperception. Everybody
-
knows that when the data is encrypted, we
-
cannot open the data or the particular
-
file, document, video, any kind of digital
-
forensics data. Let me tell you something:
-
There are multiple forensic tools that
-
have the ability to decrypt the data
-
even when we don’t have the key. This is, and
-
I understand the key component, and I
-
understand the two types of
-
encryption--symmetric and asymmetric.
-
As I said, I have multiple publications
-
about encryption.
-
But there is most likely
-
always the possibility to decrypt data
-
without having the encryption key. I
-
understand that it doesn’t sound
-
popular; and it’s not what we hear every
-
single time, but when we specialize
-
in digital forensics, we usually have the
-
tools we need to decrypt the data,
-
especially if you are using artificial
-
intelligence. Also, in the government, at
-
least in the U.S. government, in
-
my operation, in the operation I direct, I
-
handle, and I supervise, we have been using
-
artificial intelligence for multiple
-
things in cybersecurity since 2017.
-
We are also using Quantum
-
Computing. Quantum Computing is not
-
coming; quantum computers have been in use in the
-
U.S. government for years now. So, we have been
-
using Quantum Computing for years. There
-
are multiple ways to decrypt the data
-
when the encryption key is not available.
-
Multiple ways, multiple applications as
-
well, help with the process. It's
-
very time-consuming, but there is a
-
possibility for that. And this is a great
-
question because the question is, "Okay,
-
what if the hard drive is encrypted?
-
There's nothing I can do, right?" No,
-
this is not like that. There are always
-
ways to decrypt the data. Always. It
-
doesn't matter how strong the encryption
-
is, but you need to have the appropriate
-
tools in place. For example, I'm going to
-
mention just one: in case, when I present
-
this, some tools that I suggest--before I
-
said that in case is very expensive. In
-
case, do magic (in quotation marks). In
-
case, do multiple things that we don’t
-
learn in school. Okay,
-
so I can see the other question investigations.
-
here: How to adapt to investigation in
-
the cloud, since the cloud providers do
-
not allow most important operations to
-
access media? When you have to do a case
-
or conduct digital forensics in the cloud,
-
the cloud providers, 99% of the time (I
-
don’t want to say 100% because I
-
don’t want to risk it),
-
Cloud providers include in the SLA
-
(Service Level Agreement) what is
-
going to happen if a digital forensic or
-
any kind of investigation
-
needs to be performed in the cloud space.
-
So, most likely, the cloud operator is
-
going to facilitate access to everything
-
you need. Sometimes, you have to move and
-
go physically to the place where the
-
data is hosted.
-
Don't believe that the cloud
-
provider doesn’t know where the data is
-
hosted. We know where the data is hosted.
-
Specifically, I have been in San Diego,
-
California, and other states in Hawaii
-
back in 2019
-
as well. Doing forensic
-
investigations in a cloud environment. It
-
was actually for something government-related,
-
and I was given the permission I
-
needed to do any kind of investigation. So,
-
cloud providers facilitate forensic
-
analysis because forensic analysis is
-
usually related to legal cases. There are
-
multiple cases in which, in the USA, we don’t
-
have access to this data and I'm going
-
to mention an example: TikTok.
-
The problem between the U.S. government
-
and TikTok is that when TikTok got the
-
authorization to operate in the USA, the
-
government was one step behind.
-
Okay, and we don’t regulate TikTok at
-
this point. TikTok has the ability to
-
prevent forensic investigations on the
-
TikTok platform for the U.S. government or
-
legal system. Okay, but
-
again, usually, cloud providers facilitate
-
investigations in the cloud 100%. They
-
cooperate in every single manner to
-
facilitate forensic investigations.
-
Thank you for answering
-
that question. We'll take the last
-
question for the day. What are the best
-
open-source free tools for social media
-
forensics? There is no "best" open-source
-
tool. It is a combination of tools.
-
Number one: digital forensics cannot be
-
performed categorically with
-
one or two tools. This is a complex, time-consuming,
-
and expensive process. I made
-
some suggestions; they're included in the
-
slide. Let me see a slide…
-
slide number 16.
-
Okay, this is the slide in which I
-
include InCase, Autopsy, and some of
-
them are uppercase as I… I’m sorry, open-source
-
as I mentioned before, but there
-
is not a particular tool or two or three
-
tools that I will recommend. Because, on
-
top of that, every single forensic investigation
-
is about a different
-
process. You cannot use the same tools.
-
This is why there are very, at least in the
-
USA, a very small number of organizations or
-
companies that specialize in digital
-
forensics, as my company does. The reason
-
why is because, among many other things,
-
lack of expertise and expenses.
-
Okay, so I do not recommend a
-
particular tool. Instead, I recommend the combination
-
of tools. There are multiple open-source tools.
-
I mention a few in slide number 16 of
-
my PowerPoint presentation, but again,
-
those are not sufficient. Those are the
-
most popular and stronger,
-
more accurate tools that
-
you can use for digital forensics, but a
-
particular tool, one or two, to do a
-
forensic investigation--it doesn’t exist.
-
It’s impossible. Doesn't exist.
-
Thank you again to our wonderful
-
speaker, Dr. Luis, for answering those
-
questions and for the great presentation
-
and knowledge shared with our global
-
audiences. It was a pleasure to have you
-
with us, and we are looking forward to more and
-
more sessions with you. Before we
-
conclude the webinar, Dr. Luis, would you
-
like to give a small message to our
-
audiences? Please.
-
Well, no, I just want to thank
-
everybody again, the ones that worked
-
tirelessly behind the presentation to you
-
in EC-Council. As always, thank you very
-
much for the support. For all the
-
attendees, I hope you learned something new.
-
Let me clarify that every single content,
-
wording, words, etc., that I have been
-
presenting to you is my original
-
creation not 99.99%,
-
but 100% categorically speaking.
-
I put together those notes and
-
reflections for you guys with the hope
-
that you can come back to your
-
organization and serve better, that you can
-
become a public servant
-
and go to court and testify in
-
favor of the part that deserves your benefits.
-
I sincerely thank you for
-
the opportunity to share my expertise
-
with you guys. Have a nice weekend, okay?
-
Thank you very much for the time and the
-
questions. Thank you so much.
-
Thank you so much, Dr. Luis, for your
-
message. Before we end the session, I
-
would like to announce the next Cyber Talk
-
session: "Why Are Strong Foundational
-
Cybersecurity Skills Essential for
-
Every IT Professional?" which is scheduled
-
for November 8, 2023. This session is an
-
expert presentation by Roger Smith,
-
Director, Managed IT Industry Fellow
-
at the Australian Defense Force Academy. To
-
register for this session, please do
-
visit our website:
-
www.ccu.edu/cybertalks. The link is
-
given in the chat section. Hope to see
-
you all on November 8th. With this,
-
you may disconnect
-
your lines. Thank you. Thank you so much,
-
Dr. Luis. It was a pleasure having you.
-
Likewise, thank you very much for the opportunity.
-
Thank you. Have a good day.
