Free Short Course: Digital Forensics (Updated) - Module 1

Free Short Course: Digital Forensics (Updated) - Module 1

SUBTITLE'S INFO:

Language: English

Type: Robot

Number of phrases: 3029

Number of words: 16844

Number of symbols: 77878

DOWNLOAD SUBTITLES:

DOWNLOAD AUDIO AND VIDEO:

SUBTITLES:

Subtitles generated by robot
00:02
hello everyone thank you for joining us for the first webinar of an updated digital forensics series part of a short course presented by it masters on behalf of charles sturt university my name is guy coward and i'll be your mc for this webinar and for the duration of the course your mentor is the lovely and talented matt constable who i'll say today with later wherever you're watching this we hope you're safe and well and well comfortable because we'll probably be running long but before we begin some housekeeping all webinars for this
00:34
course will be held at 8pm sydney time but this of course will be across different time zones relative to to utc time and even across across different days so congratulations us on excellent planning uh we figure most of the domestic live attendees will be busy on the easter monday public holidays for webinar 3 so we'll chat on tuesday um that's also the first week of uh the switch back to standard time for new south wales victoria and thems that
01:05
changed their times uh so be careful queenslanders and you western mcgowan knights um if you or or us have messed up the timing don't worry we'll make recordings anyway for everyone who can't attend on a given occasion or just stuffs up the time but despite the recordings if you can make it we hope you'll attend a live webinars and contribute to what is hopefully a collaborative learning environment we quite clearly use zoom for our webinars and encourage
01:35
questions and the use of chat throughout the course and we ask that you direct all questions relevant to course content to the q a section and that you send all administration type questions you know dates details uh resource availability and all those sorts of things to hannah in the chat you can chat with uh hannah specifically or to your fellow students as well and you can make that choice by toggling down toggling through the dropbox um once you open the chat log um they're usually really experienced attendees who'll be most helpful with any queries you have
02:06
actually i might check another poll up now and ask a more sensible question let's go poll number one and we'll talk about your experience levels as i'm going through this um yeah but anyway the the experienced people often you know augment the i guess people's understanding of the content um so so feel free to go for it in the chat um we'll have q a sessions at the end of each webinar um or if and if a question is
02:42
particularly relevant i'm quite happy to interrupt matt and we'll talk for far too long about the interesting questions and i should also mention that one of my favorite things to do is see how much longer matt can keep a compelling webinar running than the hour that we allocate there's every chance we'll run long particularly in the later weeks if this isn't ideal for you first of all i'm sorry um feel free to leave when you need to that's absolutely fine because of the recordings second i i really do believe that the extra time matt essentially donates to us and you um totally outweighs the
03:12
downside and i'm always grateful for it for those who have never taken part in a short course with us and first of all welcome it masters is a training organisation that exists as a partner to csu who we work with to create and deliver a number of master's level courses we also market these courses on their behalf and and hope that the best way to do that is give some of the way free these short courses are essentially marketing but hopefully a public service as well but if we do a good job of you know delivering these short courses you know we figure potential students
03:44
will be encouraged to enroll in the full masters if and when it suits them with that marketing spiel said you know we want this course to be useful in a rewarding exercise in its own right i hope you you'll learn some useful information have a bit of fun hopefully make some connections with your fellow students in the forums and there's you know three and a half thousand people enrolled in the course so so um there's plenty of options there i want to thank canada for being around tonight and for the whole course um hannah is basically the administrative and technical manager for
04:15
short courses for it masters now she's also responsible for the learn.itmasters.edu dot au website and the course page which is where you find everything you need for this course um recordings readings forums um tasks that we that that's um scheduled for you if you have any questions tonight or later on about i guess the details of the course if there's some contact details there and you can chat with us using that next week i'll talk a bit about csu and give you an idea of what studying
04:44
with us is all about um and how these short courses can help you in completing a postgraduate course of study so if you have any questions about that sort of stuff please hold them over [Music] uh hopefully i'll answer those then um i'll also next week have heaps to say about some weird potentially good news after cove about you know like government settings that are decreasing across because tertiary education is in dire trouble in terms of cash flow and desperate for students um so advantage you there are huge savings available at the moment so it could be a
05:16
good time if you've been sort of weighing it and hasn't quite worked for you if you like if you're keen i don't even know when my next when um when the next study session starts i'll be out of the loop a bit but um if you if you want to get going um you can get in touch um i just share these experience results and it's as usual sort of a little bit of experience um looking towards building some real expertise and so hopefully that'll be useful for
05:46
matt and i'll go just quickly if you're if you're keen on uh getting going with your study pathway because you're already you've already made the decision you want to get into it um just chuck a yes in here yes please heavens no to us contacting you this weekend and we can cut out the spiel and you can get going and we'll just give you a call or email or whatever anyway it's time to welcome matt and thanks for bearing with me as usual matt matt constable is great he has all of the certifications
06:17
in the it world all of the qualifications uh in the academic world these short courses within a heaps of fun i'll let him to go into the detail and i'm contractually obliged to say hey matt talk now thank you guy as ever for your unbelievable introduction um i'm only glad that when you put that first poll up i wasn't drinking something because i would have spat it all over my keyboard uh and i'm glad the microphone was on
06:47
mute as well because i was laughing quite hard oh stop so no no thank you uh for your introduction as ever you are the master of all masters ceremonies so welcome with that said um and the backpack the the the yes the back patting that's it over um welcome everyone so we've got an excellent turnout over 500 which is fantastic so now this is week one obviously a digital forensic short course now
07:17
just off the top of the bat i want to just say something about this particular short course and what we base it on so this particular short course we're going to base off a subject that is run primarily by charles sturt university so that is itc 597 digital forensics under the i.t masters umbrella we also have a forensic subject which is ite 513 forensic investigations
07:48
and they are complementary to each other and will be you know more complementary to each other in the near future when we develop redevelop our subject that we do at iit masters so this particular course though is based on this this core subject and i first of all want to acknowledge dr araf khan who is normally the lecturer at csu that takes this particular subject through most sessions for his contribution to the content that
08:18
is coming up over the next four weeks so the slides are largely based on content from that particular subject to give you some insight into what that subject's all about and where appropriate i will add some information into the mix that also will point you to the differences between this particular subject we base this this course on and the elective subject that we do at itune masters so without further ado let's get this show on the road
08:49
so this evening we're going to talk about a introduction to digital forensics so look at some definitions and some introductory uh information so i noticed in the poll that uh the first serious poll that god had up earlier that there's a little bit of a mix so there's a few people with some experiences but are looking to mainly augment that awesome reminders so please you guys out there that are experienced if you feel you want to you can add something to the conversation then then please do so i'm happy for
09:21
people to interact and help each other out i will also say that particularly when we talk about the areas around investigations and law and legislations this may vary from country to country and and state to state or jurisdiction to jurisdiction basically so uh what i'm talking about is where i am particularly both so keep in mind that with the legal side of things it may be different wherever you are in the world we'll then look at
09:51
some of the topics introductory topics that itc 597 looks at so that's a digital forensics course and then we'll start to unwrap some of the forensic tools and in the next few weeks we'll we'll look at so next week we look at data acquisition the week after we look at forensic investigations around operating systems social media email virtualization so some topics around that and then in the last week we're going to look at some specific
10:22
tools forensic tools that you might use because there are literally millions of them and there is no limit to either the complexity or the simplicity of the tools that you can use in performing a forensic investigation it really just depends on what you're comfortable with and what suits the actual investigation that you're undertaking so about me i'm not going to read through all that but i've been around the traps for quite a while now uh worked in networking security
10:54
wireless voice over ip contact center across a number of different industries i've been on customer side and integrated side of the fence so i like to think i've got a pretty broad experience base that pretty comprehensive experience base but there will be those of you out there that will you know make that make me look like a beginner so by all means please don't think that uh iron the bill and endor and have all the answers there'll be plenty of answers out there that you guys will have too and i would invite you to bring them to the table
11:25
uh as often uh as you like both in these sessions through the q a uh application and also in the discussion forums on on the moodle website as well uh before you go on matt um he's being modest everyone but also uh some of the people in the chat are asking about your phd how that's going um because they are not they are it was sebastian uh because of course matt does a lot of these short courses and we had uh one course one session we talked about
11:56
it um so uh all right i heard it was good all right i'll give you a very very brief rundown of where that's going yeah it's going good okay so digital forensics definition no no we're going well at this stage so thank you for those who've asked and no i haven't finished i'm about halfway through in terms of time so come back and ask me about that in a couple of years time i'll probably still be doing moocs with um my good friend guy at that stage
12:26
bloody well hope so so do i all right so digital forensics the definition this is what we're going to uh this is the definition we're going to use within our context for this short course and also used within the context of the subject ite 597 so it is the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority chain of custody
12:57
validation with mathematics that sounds interesting use of validated tools repeatability reporting and possible expert presentation wow okay there's a lot there to unpack isn't there what we're basically saying in a nutshell is we're using computer science and computer computerized digital tools and we're using procedures that we borrow really steal from the normal you know typical forensic investigators and
13:27
detectives and police work so they're the same investigative procedures okay now it does say legal purpose but we can also use our digital forensics for internal company investigations as well so it may not be that we're actually investigating a crime as by a definition of a law but we may be investigating a infraction against a particular policy within an organization so then that becomes a
13:58
human resources issue we still need to provide evidence and a detail of what actually happened with that infraction so that we can then go and touch up remediation action with the person involved so it doesn't always have to be legal okay for the purpose of the subject itc 597 we spend more time talking about the legal side of it but it can equally apply to a non-legal investigation as well uh search authority okay so that's
14:29
talking about in a legal sense getting your search warrants and those sorts of the legal side of that so you can actually go out and search and seize evidence chain of custody is something um you you probably don't hear about it as martin 597 but in the subject i run 513 forensic investigations we beat chain of custody to death with a very large stick so we talk about it a lot and it's a very important concept to get your head around from a digital forensic perspective validation with mathematics i know that
15:01
will you know that will have people up and ready and listening and ready to go but really it's quite boring so we probably won't talk about that too much but there is some mathematics involved but you know you don't need to know any of it obviously and we'll talk about that when the time comes so hopefully uh that'll be might be early in the slide so you don't go to sleep before i'm finished validated tools repeatability reporting okay that's all about making sure that using tools that are appropriate for the job it says validated tools that's
15:33
validated from a technical expert perspective and as i said before they can be really really simple tools like things like traceroute or ping or notepad they are valid forensic tools depending on what you're looking for depending on what you're trying to achieve repeatability is just about being able to do the same action and get the same result so again that's that's proving that the process that you use or the tool that you use is actually fit for purpose and gives you the desired result so if you use for example you're
16:05
investigating something you use two different tools and you came up with a completely different answer not good we don't want to do that particularly from a legal sense we need to have repeatable repeatable endpoints and then the possible expert presentation is about you as a forensic investigator actually standing up in some forum whether that's in a court or uh in a boardroom somewhere actually talking about what it is that you've found in your investigation
16:36
so there's a lot there's a there's a whole heap of stuff to unpack in that simple uh simple different definition there is a nist definition now nist is the national institute of standards and technology they're a american government organization that have a veritable plethora of documents relating to security all things security all types of security security design you name it they've got it and if you're not familiar with them i wholeheartedly
17:09
recommend that you surf across to their website www.nist.gov and have a look at the resources available because particularly for those of you that don't have a strong security background that will be fantastic uh information for you there so what did nist say let's say that the it is the application of computer science and investigative procedures involving the examination of digital evidence that sounds familiar following proper search authority chain
17:39
of custody validation with mathematics use of validated tools repeatability reporting and possible expert testimony well where did we get that first one from i think that's probably come straight from this it's also the application of science to the identification collection examination and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data now you could easily take those digital and computer science references out of
18:10
that and apply that to forensic crime investigation it's exactly the same thing so what do you need to be a successful digital forensics practitioner well you need to have lots of knowledge about computers and technology both contemporary and legacy so that means you need to know about old stuff as well because there might be an occasion where you need to investigate a crime that's been perpetrated using a windows xp device for example and if you have no idea what windows xp is you're going
18:42
to find it difficult as a very simple example but you need to have lots of knowledge a broad range of knowledge you don't necessarily have to have an in-depth knowledge like really really deep level of understanding so you might be say it for instance if you want to do network forensics doesn't mean you have to go and get a cisco certified internet working expert certificate okay you don't have to be a ccie but you do have to have a good broad understanding of network
19:13
architecture switching and routing so on and so forth okay to to intelligently be able to investigate in that sort of environment and that's a that with computers uh whether it's storage systems whether it's looking at email forensics virtualization uh social media whatever you're looking at you need to have some level of knowledge a good level of knowledge about that particular area in order to be able to successfully investigate in that area and if you don't you need to know where
19:44
you can go to find out that knowledge from a trusted reliable source or pass it on to someone who does have that knowledge you need to be professional about your conduct well that's hardly going to be surprising i mean um all of us who are in professional uh in professional vocations or professional um jobs you know we we have a certain level of professional conduct that we have to adhere to being a digital forensic practitioner is no different and particularly from a legal perspective if you're working in on legal cases then
20:16
there needs to be a high there's a higher level of expectation around your conduct the sense which is not so common but needs to be so common sense is something that you need so not to take leaps of faith or jump to rust conclusions but to sit down and analyze things think about things and you know apply what you know to the things that you are finding in your evidence gathering and and try to make sense of it in some coherent way i mean you need some common sense you need ability to think
20:48
outside the box so that's to think a little abstractly or a little differently so not be caught in in too many with tunnel vision and and maintain so much focus on something that you can't see outside that little sphere an attention to detail is really important as well so you've got to be able to you know dot the eyes and cross the t's and really go over things really carefully to make sure that you don't miss anything and then probably most importantly in
21:19
all walks of life because no matter what you're doing to be successful you must be persistent okay you have to be braver for five seconds longer than someone else and you'll succeed okay you just have to keep pushing almost impossible to beat or overcome if you never give up so persistence yes it's a dot point on this slide useful as a digital forensic practitioner but applies to anything you do in life if you're persistent you will ultimately succeed and you'll
21:50
get to where you need to be so sorry about just a couple quick ones uh absolutely of course this is a refresher course um how much has digital forensics changed in the six years since we we last did the short course in terms of what the subject or as an industry as a whole i would say the i'm i guess i'm more interested in the industry as a whole you know like the subject changes as well i mean i guess as we were sort of alluding to before we
22:21
actually started this evening you and i had a bit of a conversation about this and i think the main way in which it's changed is probably the tools and and the focus so that the types of investigation that you you might be doing so in terms of a digital forensic perspective obviously you know we're looking at digital systems we're looking at iot systems they're looking at computer crime so the evolution so computer crime evolves all the time like say for instance the last time we ran this course we probably weren't really talking about ransomware all that
22:52
much whereas we'll talk about that a little bit in uh i think week three or week four i don't know somewhere along the way anyway we'll talk a little bit about ransomware so the the focus um that we need to have in terms of what sort of crimes we're investigating has changed somewhat and obviously the tools uh are getting better and more sophisticated and more varied so as i said before you could still have really simple tools and you can opens you can be a perfectly adequate
23:23
you can have a perfectly adequate forensic toolkit using open source tools if you're comfortable in that space or you may find you know you could you could pay thousands tens of thousands of dollars for the either bespoke or commercial um forensic packages that you can buy like encase and things like that but so so they're probably the two main things i think that have probably changed the most is the tools and the the potentially the types of crimes that we're looking at they evolve all the time
23:53
in terms of the process the legal process the process that you go through as a as a forensic investigator not a lot of that has changed you know the way you investigate a computer perpetrated crime is still you know the same now as what it was five years ago there's still certain steps and checks and balances that you have to go through and and a lot of that involves around this concept of chain of custody rules of best evidence and making sure that we're able to provide the best evidence to the the court or
24:25
the um disciplinary hearing if you like in a in a non-legal sense providing the best evidence to that that we that we can and a true reflection of the facts and so the actual process itself has changed uh relatively little and and it will probably remain so for forever and a day does that make sense yeah heaps um yeah let's keep moving we'll leave the rest till the end okay
24:56
so in terms of maintaining our professional conduct so we're talking about our ethics our morals and our standards of behavior so basically don't be a crooked forensic investigator the idea is that you know you you follow all the processes that we you know that we talk about in this subject and probably more in the forensic investigation subject so the 513 subject that it masters offers and we talk about chain of custody and the rules of best evidence and the investigative process and and the order in which you
25:25
do things and that's part of your ethics and your morals is keeping to that not jumping the gun not making assumptions uh not trying to find things that aren't there so just follow the bouncing ball and keep to the script and that that sort of really that's a really key point around that professional conduct um and we can talk about more obvious things which i don't really want to but you can mention them in terms of you know the typical things not taking bribes or you know someone's saying hey
25:56
if you lose that bit of evidence i'll you know um i'll buy you a case of beer or whatever it is you know those sorts of things they're pretty obvious things that everyone thinks of but what i'm really want to in impress on you is that the ethics and morals and standards are really more around the process in which you carry your investigations out more than anything else so to help with that we've got to exhibit
26:26
the highest level of behavior at all times so really important to maintain our objectivity okay and that can be really hard sometimes depending on the crime that we're investigating there are certain crimes that are very difficult to or certain anything like certain incidents that will resonate with you on a personal level for instance things around abuse of children for a lot of people are really hard to handle because you know a lot of us have kids we love
26:58
our kids dearly and we hate to see kids in that sort of defenseless children and that sort of in that sort of environment and so you've but you've got to be able to abstract yourself from that and look at things really objectively because otherwise you end up going down a rabbit hole and end up somewhere that you don't want to be or it will damage the investigation and in which case you know you've lost the whole point and you've you've gone against everything you want to go against anyway and then maintain your credibility by maintaining confidentiality so don't go
27:30
blabbing around everywhere what you're doing and what you've found keep it keep your cards close to your chest that's you know that's that's ethical behavior telling everyone what you're doing and why you're doing it is not ethical behavior standards of standards of in of skills is also really important as well so you should make sure that you keep your skills up to date okay yes we have a skill set around the investigative processes but we've also got a really
28:01
high level of skill requirement for the technical side so you know it's all right to say you can get forensic tools that will do a lot of the groundwork for you and put everything into a nice database and spit out reports and all this sort of jazz but you still have to you know as a good forensic investigator you must surely want and must be able to know the ins and outs of every tool that you're using so that you don't make mistakes because if you make mistakes you jeopardize the output so the
28:33
evidence of your investigation so it's really important that we keep our skills up to date and if we're going to go into a different area of investigation so we're going to do some network forensics and we don't know much about networking then don't start doing those investigations until you've upskilled appropriately pass it off to someone else get some help in or decline to take the case if you're an employment investigator the basic idea is stay in your lane yeah stay in the lane understand what you're good at and keep to your strengths because if you don't you can jeopardize
29:05
the output of you know or deposit deputies a result of some very very serious crimes and court cases potentially if you get it wrong or even in the easiest scenario if you talk about an investigation within a company itself to just an infraction on a you know an email usage policy for example you might end up getting someone fired for something they didn't actually do okay if you if you don't have the expertise you don't maintain
29:36
objectivity and you don't keep things quiet okay in terms of the digital forensic roadmap there are typically eight steps that we talk about in this particular subjects so they are search authority so that is search warrant or an authorization letter in case of corporate investigation so that's just giving you the go ahead someone above you someone with moral authority with you and with the authority to do so is giving you permission
30:06
to investigate that's number one if you don't have that nothing else matters chain of custody so that's making sure that any evidence you find that from the moment you find it time and date to the moment you present it in court time and date everything that you do everything that is done by others to that evidence every trip that evidence takes every journey it takes every where it is stored everywhere it is
30:37
referenced everywhere it is tested everywhere it is used is accounted for that all has to be completely documented that's the chain of custody so that shows if you get it right that shows a completely unbroken link from the moment you find the evidence to the moment is presented in court you can account for every single step every single operation that's occurred on that evidence every single part of the way of that journey and again if you don't have that that then allows
31:09
defense to come in and say well there's some doubt here what happened in this area here what happened at this time you know how do we know that something wasn't changed you've changed the evidence in this time so it allows them to introduce doubt and that in a criminal sense is all they need they need a reasonable doubt on your evidence to have it thrown out or have it disregarded okay we then have imaging and hashing functions so this is where the mathematics come into it and i'm not going to bore you with the details of it but basically we create an image or we create an exact
31:41
bit for bit copy of the device that we're trying to and you know we're talking about disk drives or solid-state drives or some sort of memory device some sort of storage device we create an exact image of it and in fact we create more than one image because if we only create one image and through the process of our investigations we completely mess it up and destroy it we've got to go back to the original again and every time you go back to the original you run the risk of introducing
32:12
errors or introducing changes to that original data that original evidence and we don't want to do that so we take a an image of the original evidence and we then make copies of that image and we then do our own investigations only on the copies okay so this is a absolute golden rule of digital forensics we never well when i say never there are circumstances where there are times when you will have to do investigation on the fly on the original evidence
32:43
but if you can avoid if at all possible to avoid it you would make a copy of it take it off site and then do your investigations there the hashing function is a mathematical function so a hash is simply a tool or a hashing tool is simply a tool that you if you like you process the evidence that you're looking at using this hashing tool and it spits out a value okay a fixed value now that fixed value is completely unique
33:13
to the evidence that you have run through the tool so if that evidence changes even just you know you've got a so you've got a word document and you add a full stop to that word document and then run the hashing tool again it will spit out a different value and so you automatically know that something has changed you might not know what has changed but you know that something's changed in that document so that's a way of proving the authenticity or the integrity if you like of the evidence that you're looking at because you've run a hash out of the original this is a value we've got
33:44
we run a hash over the image we get the same value spits out therefore the two copies must be identical if there's a difference in the hash value that's spat out then the images are different and we have to look at why they're different because there's no point investigating an image if it's not an exact replica of the original validated tools so validated tools is really just saying use tools that we know work and we know provide a fixed output
34:15
we know what we're going to get from them so don't go using some experimental tool that you're not sure what's going to come out of it we then analyze so we analyze what we found analyze the output from the tools that we've used we then pass it through a quality assurance process which is really just making sure that we run a tool get the result analyze it come to conclusion a we might run the same tool again look analyze come to conclusion a again beauty
34:45
we might run a tool analyze come to conclusion a then we might run another tool a totally different one output data analyze still come to the same conclusion okay we're going well okay so we've got content and we've got construct validity so we've got validity using the same tool so we know we get the same repeatable outcome and we've got different validity we've got two different tools that provide the same output okay so we're going well we're doing all
35:16
the right things we then have to report so obviously that's what we need to do in the end we go through the uh we see the evidence we get the evidence that we can offer through our investigations we validate it we're sorry we validate it we analyze it we come up with some hypotheses or some facts about what happened we write that down in a report and we submit it to whoever hired us for the case whether
35:47
it's a police investigator a lawyer or attorney or an organization and then we might have to possibly be an expert presenter either in court or just to a board room full of people if we look at digital forensic versus other disciplines we come up with this thing called the investigations triad now the investigations tried for those of you that have done the cyber security fundamentals a short course or some of you may have
36:19
actually done the subject as well because i know there's some current students out there in mooc land you might be familiar with the cia triad or the cia dad triad and this is sort of the digital forensics equivalent of that and by the way if you're not familiar with either of those it doesn't matter so on this side we've got vulnerability and threat assessment and our risk management so that's about understanding what our assets are what the threats and vulnerabilities to those assets are and how much they really effectively
36:50
mean to our organization so we provide a risk rating based on the value of our asset to us as an organization and what the likelihood is of it being impacted by some vulnerability or threat we can do network intrusion detection and incident response so that's about our alerting and monitoring and potentially incident response in preventing blocking getting ourself back to normal area normal operations and then at the bottom of that as a platform of that we have
37:22
our digital investigations okay and all three of these interact together in order to work in harmony to provide a complete uh secure solution or a more complete secure solution developing your digital forensic resources okay so as i was saying at the top we need to be familiar with a lot of different things so you've got to know more than one computing platform you might have to know a bit about dos old yes legacy
37:54
definitely dead in the water probably you might come across it windows 9 t5 windows xp good golly how long ago do they go out but you might come across them so it's good to have a working knowledge of of the operating system underlying and it's much simpler than the current operating systems in in a way linux different flavors okay there's lots of different versions of linux um at least be familiar with a couple of them macintosh dare i say mac os which
38:25
is really just linux underneath anyway let's face it uh and the current windows platforms as well so and dare i say i'm going to add in os2 there wow if you ever see that please send me an email because if you ever see that i'll be absolutely flabbergasted there's probably a lot of you out there that haven't even heard of os2 but look it up it makes for funny reading there's also network operating systems as well so things like novell netware although it's called end
38:57
directory or some other thing now i can't remember it's been years since i've worked with it and windows is obviously a network operating system but there are others as well that you may come across you also need to be familiar with the new technology so cloud and social media and smart devices byo is a big thing now so we need to be familiar with that sort of thing as well tablets and the different phone systems again we'll look at those in week three in a bit more detail join as many computer user groups as you can
39:27
there's a few of them there that you can potentially look at and there'll be others in your own country depending on when you're coming from but there's lots of different resources out there on the web that you can find user groups facebook groups you know message boards all sorts of things that you can join to help to expand your knowledge the more you know the better develop your resources again so exchange your information about techniques related computer investigation and security so exchange with other
39:59
people interact with other people through this online course you've got access to discussion forums build your networks start to talk with other like-minded people build your skills base user groups can be helpful absolutely build a network of computer forensic experts and other professionals look up people on linkedin look up people on facebook okay look up some of the research networks so researchgate is a really good website you can go to as well so you can register with that for free and
40:30
you can get in contact with other forensic researchers and they can help you out yes they're probably more on the academic side but they'll be able to help you build contacts you'll get referees you will you'll find other resources that you won't necessarily get from the industrial or the industry sources uh keep in touch through emails and um other networks so your social media networks get professional certifications such as a cissp
40:59
okay if you're doing network forensics look at the systo certifications or the juniper certifications or maybe the if you are desperate the comp tia certifications um they're more entry level but you could start there okay try and build yourself the more knowledge you have on all these different areas the better you'll be as a as a digital forensic investigator i i used to say um as i was coming through now the ranks over the 30 odd years that i've been in the it industry i started in you know as most a lot of
41:30
people will have on a help desk i then moved into desktop support then network operating system support and then i moved into networkers had pure networking routing and switching and then into security and then the voice over ip and then into contact center then into wireless and all these different areas all these different layers of knowledge start to build up so even though now i would not i could not put my hand on my heart and say i am a world leading expert on any of those things because i have such a broad range of experiences and
42:01
there'll be many of you out there in the same case you'll be able to apply those really well to digital investigations and provide that knowledge that you've built up over many years of troubleshooting and designing systems and apply that to digital forensics for those of you that don't have those skills yet it doesn't matter you'll get them it takes time you can't rush experience okay you've just got to live through it so go out there and have a go do whatever you can to get whatever experience you can because
42:32
while some things might not lead to what you expect there are no bad experiences really they're only experiences depends on how you react to them and how you use them in the future so types of digital investigations we can have two categories we can really have public investigations or we can have private or corporate investigations public or private yeah okay bit blamons there but anyway that's the way it's written so public investigations involve government agencies so we're talking about criminal stuff criminal
43:03
investigations prosecution where we need things that we need search warrants for most australian states and territories i don't know why that says most i would have thought it would have been all but as i said at the top of the hour i'm not an absolute expert on the legal side of things australian states and territories require search warrants to search a person or premises most countries in the world require that as well there are some that don't but most countries in the world certainly require that legal
43:38
processing in terms of the private or corporate investigations these deal with private companies so non-law enforcement they may or may not be lawyers or solicitors involved they're not governed directly by criminal law but they could potentially lead to criminal investigation depending on what the outcome is and these are generally governed by some sort of internal policy or some sort of governance or acceptable usage or acceptable behavior policy that we expect our employers to behave
44:11
that we expected them here to some some sort of code of conduct and they've broken that and so we're going to perform an investigation and either give them a warning which you have to do you need three formal warnings in australia before you can be fired um depending on how severe the the the breakage of the infraction has been um yeah so that needs to be done before we can have any remediation if we just take a step sort of sideways and
44:43
look at the law enforcement agency investigations there's a couple of definitions that we sort of need to have an understanding on we've got a digital evidence first responder so this is a person that arrives on the into the scene initially assesses the situation and then takes precautions to acquire and preserve evidence now the first responder may not necessarily be anyone with any digital knowledge whatsoever or very much but their job is to just make sure that nothing's touched
45:13
that everything remains as it is okay if they do have some sort of digital background then it's to maybe take some photos of things make some notes about what's on the screen of a computer or the layout of particular peripherals or system settings or whatever but it's not necessarily to do anything actively it's passively looking seeing what's going on we then have the digital evidence specialist so that's the school investigator that comes along
45:44
and starts to determine what's going on determine what evidence and data is potentially there what we could potentially seize and then determine ultimately whether there's other specialist people with special skills that need to be called in to the investigation and then lastly an affidavit is a sworn statement of supportive facts about evidence or a crime so in other words this is a statement so a legal statement that you that you give to say this is what we found
46:16
this is what the the facts are as we see them as investigation has seen so far and they also will include exhibits that support whatever the content of the affidavit is so you can't just make a baseless claim you've got to have some evidence to back it up in criminal cases a suspect is trialed for a criminal offence okay like a burglar or murder or molestation something like that computers networks are only tools that can be used to commit crimes and many states in australia have
46:51
added specific language to the criminal codes to define crimes involving specifically involving computers so digital crimes or digital forensic investigations isn't just about investigating digital crime so things like fraud or theft of intellectual property or denial or service attacks those sort of things or ransomware okay it's also about invest finding evidence associated with other physical crimes like burglary or murder or assault
47:23
or car theft okay because those crimes can also be perpetuated using digital resources obviously phones for example text messages emails okay social media all these sort of things can be used following the legal process the legal process that you need to follow will be dependent on your local custom the legislative standards and the rules of evidence that you are bound by in your jurisdiction okay so um we're not going to within this
47:54
online course we're not going to talk too much about the details of that but just be aware that they will exist and that they will be different depending on where you are in the world depending on where state you are maybe depending on which county or town you're in okay so you just got to be aware of those as well a criminal case will then begin when someone finds evidence of an illegal act someone will make an allegation an accusation or a supposition of fact the police will then offer the police
48:28
will then interview whoever makes that complaint writes a report about the crime it could even be that it's just witnessed by the police or it's an investigation that starts through them and then the investigators will delegate collect and process the information related to that particular complaint and that's where we as digital forensic investors come in but they'll also be other investigators that aren't handling digital assets that will come in and look at that as well so it's the same process whether it's real a real physical crime or a digital crime
48:59
on a private or corporate investigation these will involve you know regular companies of any size could be small could be huge and potentially lawyers or solicitors who address the company policy violations and they litigate in the disputes related to those so in terms of computer corporate crimes corporate computer crimes it might be something around email harassment whether that's of a sexual nature or blackmail or something else might be falsification of important data
49:31
or say theft of intellectual property it could be gender and age discrimination which does exist it might be embezzlement it might be as bugs bunny would say sabotage or it could be industrial espionage okay so all of those more bugs bunny content please okay right oh i can do that and do some i can do some porky pig too so sabatagi or industrial espionage okay they are all valid computer uh corporate computer crimes and but it's not exhaustive there's lots of
50:02
other things that may occur um in that i mean you could always you could also no i won't take it down that path i'll i'll i'll leave that for the next one next week understanding corporate investigation so establishing the company policies is really important so as an investigator we need to understand and establish an understanding of what the company policies are around the allegations that have been made which is a really good way to avoid
50:35
litigation by publishing and maintaining policies that employees know about they can read them they're not ambiguous and they know that they are bound to follow them okay if you've got that then if they do something wrong you've got a leg to stand on there's somewhere you can take it if you don't have those company policies they're not established they're not easily accessible they're ambiguous or they can't be impossible to understand and people decide that don't follow them because there's not
51:06
company or management support for those policies then you're in a world of hurt and your investigation is not going to go anywhere so we need to make sure that they're published they're concise they are comprehensive so across everything that we want associate a behavior to be ruled or managed on and they are unambiguous well-defined and in a place where everyone knows they are and can get access to them freely and in fact in my opinion they
51:36
should be part of every induction process for all new employees songs are relevant to their job function now one example that business can use to avoid litigation is to simply display a warning banner on computer screens so like this one says service is for authorized clients only so if you're not an authorized client you can't get on the only thing i would say is that it is not clear necessarily
52:08
who with all who is authorized so you could potentially claim that oh i didn't know i was authorized i thought i was authorized for this particular system okay so there's some a little bit of ambiguity there in my opinion with that particular bit there but that's you know banners these sort of banners are pretty commonplace particularly in larger organizations uh designating an authorised requester so an authorized requester has the power to conduct investigations and policies should be defined by the
52:40
executive management again you need um support from upper level people if you don't have that doesn't work there are certain groups that within your organization that should have direct authority to be able to go and request an investigation if they think some policy or procedure within their company has been breached okay and these include these guys here so corporate security investigations the ethics office if you've got one equal opportunity equal employment opportunity office
53:10
internal auditing or general counsel or legal department if you haven't got those groups within your organization then someone needs to be have that authority to ask for an investigation to perform the investigation themselves depending on the size of your organization when we conduct their security investigations we have to be aware of the type of situations that we might find ourselves in so are we looking at abuse or misuse of corporate assets so we look at email abuse internet abuse in terms of abuse i'm not talking
53:42
about literally swearing or abusing someone i'm talking about misuse of that service for an unauthorized means okay so those those three examples there are handler might be handled slightly differently email internet you know misuse uh closely related but misuse of corporate assets what does that really mean are we talking about laptops servers switches routers you know what are we actually talking about it's going to depend on the job role that you're fulfilling
54:14
we need to be sure that we distinguish between the company's abuse problems and potential criminal problems because there's a fine line sometimes between misusing company assets and being the criminal areas in which case the investigation becomes different the burden of proof becomes different the process becomes more stringent because the chain of custody and the rules of best evidence suddenly become a little heavier
54:47
and then we have to consider what happens when a civilian or corporate investigative agent delivers evidence to a law enforcement officer okay because as i just alluded to the burden of proof is slightly different or maybe different distinguishing personal and company property so many company policies distinguish between personal and computer company computer property and that's because people like to bring their own devices um it's good for it can be good for the company because it means they don't have to outlie in assets
55:19
but it also can bring a myriad of problems particularly from a technical aspect in terms of how can we connect this device to a network header can we protect our network against crime or viruses or other you know malfunctions coming from those particular devices from a general sense um then from an investigation percent perspective we have to have that understanding of when is the use categorized as business use and when is it categorized as personal use
55:50
and what's the overlap and you know there's some dodgy ground that you're you know pretty soft ground that you're standing on there skating on thin ice to use another analogy so you need to be careful that you have that understanding of where that line between personal and company property and personal and company use is because if it's outside you know the policies of the company but it's still criminal then there might still be an obligation to report it there's a different a different phase it
56:21
opens up some useful forensic tools for your learning so this really leads into later on in our online course but these are all tools that are useful for you to have a bit of a look at and they are all tools that i use in the subject itc 597 which i said as i said the online course is based on so do have a look at those we'll actually the first hands-on activity for this week actually involves this one here
56:53
autopsy so you need to download that and then there's some resources on the moodle site that you can download there's a a chapter or some pages out of one of the chapters of the actual textbook that we use for this particular subject and there's an activity there that you can follow along with so you don't have to have any experience you just need to download this particular package here with a puppy dog install that and then there's a file on the moodle site which is a disk image file you can download that and follow the
57:26
investigation in the pdf snippet from the chapter so that's your first online task for the course um os forensics is something we looked at in the last week in fact i think we look at all the fk ftk image a light comes up as well uh win hex comes up in a few slides as well so these are all tools that we will reference over the next four weeks and you may find will be useful for you to start playing around with they're all free or there's free versions of all of them
57:57
that you can have a look at os forensics is a commercial product but you can get a free limited version of it which we'll have a look at in week four and you can use that to get some familiarity with tools if you you haven't got any uh idea with forensic tools at this stage and there you go hands-on activity topic one download autopsy using that link and away you go then read the pdf document hands on activity topic one it's called so that's on the moodle site and then there's this file here which is
58:29
the accompaniment to it and then if you read through that pdf you'll be able to go through the particular investigation step by step and get some experience and get a bit of a feel for what the digital forensic uh uh area is like and there you go guys now i have finished one minute over now i know i know you're going to say i haven't answered any questions yet but no i'm very i've finished and if we consider that
59:01
you probably took up 10 minutes at the start i'm actually oh yeah that's they've probably done pretty well for me but just for everyone's attention um this will slip out drastically particularly when we get to week three so be prepared for a big one that week so right guy over to you four questions if you've got any there's plenty of them um no no you've done your lecture and that's the thing now people can hang around and listen to the questions there's still 570 of you around so that's bloody great well goodbye retain them yeah and now they're all asleep
59:32
and forgotten no i'm sure that's not the case um thank you matt uh just a couple of quick ones um if you hate the chat that's okay um you can work around that there's many ways to do that and hannah takes you through it a few times each webinar my favorite is to use the second screen and hide it on the second screen maybe even turn it off um but there's a bunch of really good questions um and i want to start with uh i guess the job market and the job role
01:00:03
range um which is something that i guess i'm really focused on as part of it masters is about application of the theories to various enterprise settings um so there's questions from where's for example would you could you pick an area and develop a forensic expertise in that area not withstanding your advice to to like really you know learn a few things but if you have a broad knowledge is there the potential is the job market there to sort of specialize in a particular area there's also a question from an
01:00:34
anonymous attendee um you know are these investigations done by an individual or a two-person team um what sort of options are there for people um well there's a lot there's a lot obviously you can get into um i i guess okay let's look at it from first of all if we look at law enforcement type investigations now generally to be a digital forensic investigator
01:01:03
in the law enforcement field you would i can't say for certain in all states of australia because i don't know but certainly in some states of australia the ones that i know about you actually have to be a police officer for a start so you've got to have that expertise if you like that that that badge on your cv now then on top of that you would then um then you would then apply to go into a digital forensic area um and whether you would get into that
01:01:35
would depend on a number other things let's face it if you're straight out of high school straight into the police force you're there for three or four years and then you apply to become a digital forensic investigator then the expectation is you're probably not going to have the skills that you're going to need for a start and you'd be trained on the job okay so that's that sort of sold on it you may also come into it from having an extensive i t background in say networking or servers or something you then join the police force
01:02:05
and then you become a forensic investigator with the aim of becoming a friends investigator or you could potentially do that with the afp here in australia as well or yeah or other government agencies if you know what i mean so you could certainly take that path so law enforcement is probably a little different in comparison to the private investigation side with the private investigation side obviously you have you have the two two options of either working for
01:02:38
yourself and if you do that if you want to do forensic investigations at a corporate sense you're not going to be able to do law enforcement type forensic investigations self-employed for a start that's that's just not going to happen that's not available to you but you can certainly do corporate investigations um and in order to do that however if you were to be self-self-employed then you would need to have a really broad range of skills so that's what i'm saying before
01:03:08
you know learn as much as you can about as many things as you can now i wouldn't advocate someone go into digital forensic investigations straight out of uni or straight out of high school i think that's you know that's way too much to ask it's the sort of thing that you build up to over many years so you might you might for instance so decide that you've been working in server operating system let's say you've been working with active directory and windows systems for you know five ten years and you decide that you want to do investigations
01:03:40
uh around that particular operating system you can do that okay the the opportunity is there for you to be specifically a investigator around windows systems now is that necessarily going to help you if you uh so i guess what i'm saying no okay i'll take that back if you're going to then do investigations and you're going to specialize as a windows investigator then you're going to have to work with other people because digital
01:04:12
crimes are not typically perpetuated using one type of digital technology there are usually multiple digital technologies involved particularly in that corporate sense okay so you need to either work with someone else or have that broad range of expertise so i think my my overriding advice is while you can do certain parts of an investigation with very specific technological skills so say networking or security or server based skills
01:04:44
in general if you only had one skill set you would find it difficult to do a complete investigation you would need to work with other people suitably skilled people to get to the end conclusion if you've got a broad range of skills though sure you could work for yourself or you could get a job as a consulting forensic investigator from a corporate sense you might get a job within a hr department or a security team and become a forensic investor that way the other
01:05:16
way you can think of it too is that you could quite easily be a member of a technical security team and be responsible in an incident for providing an investigation of that incident and coming back with some evidence around what happened and who's at fault and then to determine whether it is something for a disciplinary committee or a criminal proceeding so you don't always have to be if you like you know we talk about in this
01:05:48
particular tonight and we talk about it in the subject about being responsible for doing the investigation presenting the evidence chain of custody rules the best evidence presenting the report being the expert witness you don't have to start at that so you can start doing you know sitting on a rt security team or a network team an incident happens they might say hey matt can you have a look at the routers and switches find out what you know find out what's going on keep some evidence you know and you follow the same process and you
01:06:20
come back with some information which helps to confirm or deny that something's going on and gives you some idea of what's happening so that's really forensic investigation is just troubleshooting on steroids so it's troubleshooting and documentation to the nth degree so it answers the question yes there are opportunities um probably not straight you know entry level there's not as many entry-level opportunities around as what they are for uh the more experienced people but
01:06:52
it's definitely a valid and very fulfilling career path if you wanted to want to take it on did that answer that i i sure hope so it did for me um and and as we so often say matt you know in any of these sort of roles and you sort of talk about what roles are available and what range uh is available within the role you know so much of it is about transitioning from one emphasis to another and it'll take a couple of years you know like a lot of the a lot of the skills you
01:07:23
were talking about matt you know what you need to be a successful digital forensic practitioner the first point was very tech heavy but then the rest were sort of what you know frequently called soft skills professional conduct common sense yeah yeah critical thinking ability to think outside the box and attention to detail and then and persistence and i guess the thing is too particularly from a legal perspective that that's what makes it possible to be you know a police officer from no i.t background uh three or four years in
01:07:55
the falls for example and you show those soft skills and they go hey you're perfect for the job we can give you the technical skills as i often say you know you can teach people technical skills but you can't teach people attitude if you've got a crappy attitude or a crappy outlook on something that you know quite often that can't change but if you've got a good attitude and a good aptitude for digital forensics that'll shine out in what you're doing you can learn the other technical skills none of these
01:08:26
tools that we've talked about none of these skills that i've talked about are things that are beyond the realm of mere mortals it's all possible you just have to have that attribute of persistence and if you're low on i.t expertise um csu does a course that it masters has very little to do with and then chucked a link to to that course in the chat so if you scroll up you can find that and go and have a look and it's a good sort of bridging sort of course it's a bit yeah particularly if you're interested in the in the public
01:08:56
investigations you can sort of do the policing side of things and then learn the tech stuff or of course you know if it's suitable for you can go the other way around oh there are there were a lot of questions when you were talking about hashing about hashing uh my first one is what's a hashing uh because for those of you that aren't aware i'm not very tech savvy but there's a few questions um which hashing standard do you use um do you uh is it can you give us an example of documents with different hashing
01:09:27
uh and then there was one little brief snippet in the chat that i saw about hash collisions so i just wondering if you could talk about them um whoever was talking about it was saying hash collision in theory versus the likelihood of actually seeing it in practice yep yep good question so um i guess the simplest way to answer that is to say that a hash is a mathematical algorithm that's all it's a mathematical equation that's literally what it is and what you do is you take that that
01:09:58
mathematical algorithm is built into a little program so it might be just a um a command line program or it could be a you know windows based code from command line command a program i'll get it in a minute so it can be a windows app or it can be a command line tool why don't i just say that anyway so it's a mathematical algorithm built within a tool and what you do is you take a document or a file and you
01:10:29
pass that file you give that file to that application or command line and that command line analyzes it and it passes it through passes all the bits and bytes of that particular file through the mathematical algorithm and it spits out a result okay and it's just it's called a hash value and it's literally just a string of hex digits so hex digits are 0 to 9 a to f so it spits out a value of hex digits
01:11:00
how big that hash value is is determined by the hashing algorithm that you use so there's a number of them the two ones that most people are probably familiar with are md5 and sha256 okay so they're hashing algorithms so then once you have that value once it spits out that hash for you that hash value you now have a value that is that represents that particular file as
01:11:31
that file is exactly now if you were to go and change that file somehow so as i said before in the example you've got a letter that you've written to your grandmother in a word document you save it you run it through the hashing algorithm the hashing tool and it spits out a hash value you then think oh i forgot to say something to grandma and you open up the document again and you add in another sentence and you save it again if you were to run that document through the hashing
01:12:02
algorithm again the hashing tool again it would spit out a completely different hash value okay they would not be the same because the document has changed so that what that hashing value provides you with is proof that a document has either changed or that a document has not changed so it proves the integrity of that document and the way we use that in communication and security is to say oh actually i'll use the
01:12:33
digital forensics example of course why wouldn't i i'm in a digital forensics course so if i had a hard drive for example that i wanted to investigate for evidence i would take my hashing algorithm without going through all the steps that you need to do but you take the hashing algorithm the hashing program and you'd run it on the whole disk itself okay on the image of the disk and it would spit out a value okay say abcd that's the value it spits out
01:13:04
we then take our copying tool and we make a direct copy of that hard drive because as i said we don't want to work on the hard drive because if we do we run the potential of introducing errors into that hard drive and therefore changing the potential evidences there so from a legal perspective we don't want to do that so we make a copy of that hard drive and we come up with an image okay a copy of that hard drive but it's an email it's just called an image file we then take that same hashing tool
01:13:35
and we run the image through it so what we're looking for is for the hashing tool to spit out the same value for the image as it does for the hard drive because if it does so it spits out a b c d then we know that the image we got is an exact replica of the hard drive nothing's changed we know that because mathematically that's what the hashing algorithm does so we know now that the image we have is an exact copy
01:14:06
of the original evidence original hard drive now we can go and do our investigations on that however if in the process of making that copy of the hard drive to the image we mess something up there's a mistake made or something doesn't copy properly then the image won't be the same and when we run it through the hashing algorithm instead of spitting out abcd it might spread out dcba so it gives us a different value and we look at it we go okay there's something wrong here they're not the same anymore
01:14:37
so we've got to go back and repeat the process similarly it then allows us to go to court and say here are our hash values when we made the copy of the original evidence the original evidence house value is ah the copy was a b c d therefore we can prove mathematically that we have exactly the same evidence in the two spots so we can go and do our investigations and have no fear that anything was wrong okay so hopefully that answers that question about what a hash is
01:15:08
and why we use it now in terms of the hash collisions that someone mentioned so a hash collision occurs when the output from a hash so we take a file we take two different files we run them through the same hashing algorithm now because they're different files they should spit out different values but a hash collision occurs when they don't they spit out the same value now the likelihood of this happening this this is possible to happen simply because
01:15:39
mathematical algorithms because they're written by humans are not truly random okay so there is a limit to how many values depending on the bit size that you use like 256-bit algorithm compared to a 56-bit algorithm or 512-bit algorithm will spit out a larger value so there is a possibility that you might have two files that are completely different that will come to the same output okay and that's called a hash collision
01:16:11
now the likelihood of that happening is not very high infinitesimally small doesn't mean it's impossible but it's exceptionally unlikely and look to be honest i off the top my head i couldn't give you a um an estimation of what that would be but it's an it's infinitesimal very very almost almost impossible so what do they say it's computationally infeasible which means that the time it would take for you to generate a collision
01:16:42
is so great that by the time you generated it it wouldn't matter anyway that's basically what we're saying so it's computationally infeasible not impossible but extremely unlikely one of the downsides of being the emcee for these short courses is actually not being able to properly listen to the answers as i'm triaging the rest of the questions i'm sure that was very interesting um i'm sorry mathematical so now it wasn't no i'm going to go on this no no no it's i know about you forget i've got a graduate diploma
01:17:16
in psychology so i understand the cognitive dissonance you have between the two tasks ah i just can't focus on the answer while i'm reading other people's questions well i can't that's why i close the questions as well otherwise i'd get off track too excellent um uh just a mere calper in the middle of that folks uh aaron has asked um about the responsibilities of a first responder um one of the one of the roles in the earlier slides um would first responders also undertake mitigating actions disconnecting from the network for example to minimize
01:17:46
criminal activity or is that the different role in that sort of uh triad of yeah yeah that's an excellent question and that is going to be a little bit dependent on their level of knowledge so you will have some first responders so if they're a specifically they're typically a digital investigation forensic specialist or someone who's at least past these skills so if we look at the example of the police force if you're a forensic investigator but you're not
01:18:17
heavily experienced but you've got some experience you may actually do things like that so you may see get to a scene a crime scene and see a whole leap of messages scrolling up on the screen you think my god it's deleting everything on the hard drive what do i do pull the power absolutely you could do that because you're then preserving evidence um if you were just you know a complete uh newbie or knew nothing about so you're a police officer that knew nothing about digital systems at all then that's
01:18:47
probably not something you would feel comfortable doing you might be able to you you you know you'd still potentially need to do it if that if that action was happening like there was stuff being deleted but you might not feel comfortable doing it so it's going to come down to the relative experience and skill set of whoever is first on the scene beauty thank you um i've asked hannah to stop um taking your questions just because we could go all night and we likely will anyway but um so if we don't get to your question
01:19:18
that'll be it um there was a really interesting question from ishmael does digital forensics include maintaining deploying coding software to conduct forensics investigations is automation of these tasks prevalent possible um yes sort of and yes so the first part is really more about development so that is something that you would probably do in
01:19:51
a different context so you may not do that as a digital forensic investigator but you would do that as a developer of software for that although it is possible that you may be one in the same if you work for yourself you might decide to write your own bespoke tool for sure in terms of automation of the tasks now there are a number of tools that you could use that will heavily automate tasks for you the only thing i'd be careful of with that if you're getting something like a commercial package like
01:20:24
in case for example it will there are a number of things that will automate so you basically point and click and away it goes in some parts of the investigation so it automates a lot of things for you but it's very very very strictly controlled the issue i would have is if you just took some tools of your own and you decide to automate do some scripts that's fine but uh again if you're using an illegal sense you'd have to be a billion percent even though that doesn't
01:20:56
exist you'd have to be a billion percent sure that your scripts were 100 that were spot on but absolutely perfect otherwise you run the risk of errors being introduced the advantage of being able to run a tool see the output run another tool see the output run the you know the first tool again see the output is that at each step on the way you can there's a certain result that you'll be expecting and you can see whether that expectation is met and if it's not
01:21:27
you can then delve a little deeper or what happened there did i make a mistake has something gone wrong have i destroyed something and if you have then you can go back to another copy of the evidence and start again if however that's all script and that's all automated and you start introducing errors and you're not noticing them it can send it in a rabbit hole that you may never recover from so so the answer is yes you can automate a lot of these things it is possible but i would probably advise against it unless you are exceptionally
01:21:59
experienced and you are exceptionally sure that what you are automating is is a simple task that is going to provide a known output if that makes sense so be careful with it thank you uh combining couple questions um how are we adapting to emerging technology um k james is asking about difficult to trace tools such as tails os alfred's interested in um the advancements in internet of things and internet of everything
01:22:29
um i guess is the his policy and uh i guess legal uh and our policy and legal frameworks keeping up um what are some of the challenges around that um so the answer that question is poorly uh in document um and that's hardly surprising really i mean security in all facets has always been largely a reactive uh type industry let's face it um while there are lots of standards and best practices and rules of thumb and blah
01:23:01
blah blah that we can do in in security protect ourselves against a whole myriad of different things and a whole heap of basic principles there is always going to be that zero-day effect there's always going to be someone who knows more there's always going to be a vulnerability that we forgot about there's always going to be a patch that we install that creates a vulnerability that we don't know about so all those things are always going to exist and from a digital forensic perspective particularly around legislation policy and procedure i mean
01:23:31
man oh man you know the red tape around that getting changes to those and keeping pace with um the huge pace that technology has is i mean look it's more or less um impossible and that's why sometimes you will see legislation around digital forensics being very broad and seemingly vague but that's because there's so many things that could potentially change uh so many different platforms so many different directions which you could go that you can't
01:24:00
specify every single specific thing uh in a timely fashion and get it through the 4 000 billion different red stamps it's got to get rubber stamps has got to get through to become legislation so from that point of view um you know we've got there's legislation there's policies and procedures in all organizations that are in place that are helpful but are they keeping pace with what is potentially out there no absolutely not i think for the the majority of
01:24:35
companies um you know there are certain companies that will be attacked certain ways and they will always be attacked certain ways and there will always be certain crimes uh and um infractions of policies that exist around a certain organization so if you like they've got a baseline of infractions and a baseline of crime that surrounds that particular organization or enterprise or industry and so if the legislation and policies and procedures
01:25:05
take all that into consideration then would potentially be suff or within our own little world for a period of time but if we're talking about industries or organizations that are getting you know zero day attacks all the time or you know different sorts of uh crimes are perpetuated using their systems or their technologies and it can be really difficult to keep pace with that the other thing we sort of alluded to throughout the session was we're talking about guess we can talk
01:25:36
about digital crimes so specifically traditional digital crimes like you know the email blackmail and um the embezzlement and intellectual property theft and those sorts of things and that's great but if we think about crimes like murder or assault or car theft or you know robbing a bank or those sorts of things that can also be assisted through the use of technology then they are a lot more static they are a lot more static and so legislation that surrounds the investigation of those type of crimes
01:26:08
which are assisted rather than facilitated by digital assets that that's a different question then i think in those terms we're probably doing okay but from a strictly digital perspective where there's always going to be those issues in making sure that we've got the mechanisms in place to respond to digital crimes when they occur that's that's always going to be a really big challenge and of course you know then the evolution of security tools and security best
01:26:39
practices around digital forensics are always you know slightly lagging behind the the infiltration of crimes and and you know the bad things that are happening so there's always going to be that balance there's always probably going to be that little lag behind even though you know the gap has closed significantly over the last 25 30 years so even though the different attack vectors and different crimes and the way crimes are committed using technology is evolving
01:27:10
over time the gap between that and the remediations that we put in place and the ways we can investigate and find evidence of those crimes that you know that gap is a lot closer than what it used to be so we're not far behind but i think realistically we're probably always going to be behind and that's you know that's non-withstanding talking about organizations which are far beyond the scope of this uh online course and my areas of expertise but you know places like the doj
01:27:43
and cia and you know those mythical organizations that we see in all the movies you know what they've got and what they can do is far beyond what i understand um but then there's also obviously hacker groups and criminal groups that have a similar limit of knowledge so you know there's always going to be that trade-off i think and then we're back to questions of ethics oh um paul that will probably answer your question um if an investigator cannot resolve the issue probably because we're behind in some
01:28:16
uh some guys um what about the money paid by the customer no doubt it's either a sunk cost or um or you might be able to have you know well there'll be you know there'll be certain things written into when you enter into an agreement like that you enter into a contract that will have certain stipulations so um it may be that the investigator will say uh you know it might be we don't find anything or we can't do it you don't pay top things simple symbol that or it might be you know depending on what we find you might pay this amount or you know there'll be some sort of contractual
01:28:47
agreement the tv lawyer adds no win no fee yeah yeah it's very exciting do you have any any interesting or hilarious or terrifying or sad case studies about digital forensics or any famous forensic blunders that you could share probably not off the top my head actually supposed to be pretty well hidden um well yeah forensic blunders certainly are most people don't um i mean i've certainly i've certainly got some horror stories um mainly around and there's lots of
01:29:17
them on actually i can probably i can we can probably post a couple of uh videos up on on the resources page for you guys but there's some there's some absolute hilarious ones on youtube but they're mainly centered around testimony so people who have done forensic investigation they're supposedly the expert witness and they've gone to testify and just made a complete hash of what they're talking about and one i can remember specifically was a gentleman talking about
01:29:47
an investigation he did around a murder crime where the the time stamps and the location of the phone proved that the the accused was actually with the in the same area as the murder was committed and the exact same spot as a body was found and all that sort of stuff but he had to explain in court what the gps coordinates and the differences in the timestamps meant and how they related to the crime center how they proved they were
01:30:20
there and he just yeah makes a complete hash of it totally embarrasses himself in life court um so that's a that's an interesting funny one and i really felt you could see the poor guy he was just he just shrinks down further and further in his chair and the more the prosecutor defense lawyer asking questions the further he gets off track and he ends up just basically you know crying tears and and calling for his mum he was he was that embarrassed so that's probably the worst one i've seen but there are certainly you know
01:30:51
examples of mainly and it's mainly around people who don't follow process or don't follow chain of custody they are typically the two big things that will that i've seen anyway in my experience that have um totally messed up friends investigation so someone just you know handing over a hard drive to someone say oh here stick this in the evidence locker or whatever and they don't make and then suddenly it gets lost or it ends up in someone's desk drawer or it's left on a desk and then picked up by someone else who formats it to put their you know their playstation games on or
01:31:23
something because they don't know what it is so there's plenty of things like that around china custody and also around you know people taking the original evidence and starting investigation on that and then completely destroying it and then not having any go back on lots of different examples of that uh you know lost couldn't couldn't even guess how many times that would have happened yeah uh as andre q in the chat has said though at least he wasn't a cat
01:31:56
for those of you who aren't sure what that is that's google i'm i'm not a cat yes um only a few questions there so thanks for sticking around folks um we've covered certifications a little bit um chfi from ec cancel is a good certification oh wow how yeah how long is a piece of string it is good within a context yes um i would say it's a good introductory forensic um
01:32:35
course uh i guess i'm probably a little and i'll say this up front i'm a little biased in that i'm not a huge fan of the ec council certifications um i'm also not a huge fan of the comp tia certifications i'll let that be known too that's not to say they are not good certifications within a context um and i think i'm probably looking at it from a buyer's perspective in that they've come along these certifications
01:33:06
which i consider to be quite entry level have come along at a time where i've had you know 30 plus years in the industry so i'm looking at it with a different look to what i would have 30 years ago had that been around then um but but funny should say the chfi is actually the one that we base the subject uh 513 on digital forensic investigations so i obviously thought enough of it uh to uh base the subject on it um so yes i think it's a good entry level
01:33:37
it's a good starting place to go it's good it's generic it provides you with a good process good procedural ideas rules of thumb gives you a little bit of access to tools they don't talk about tools too much obviously because that varies you've got to be careful with how much you say about tools particularly because it's based on the experience of the person using it you can make activities fool-proof but they are not
01:34:11
foolproof to a sufficiently talented fool i think is a saying that's relevant there but it's a it yeah look it's a good entry-level certification that's probably what i'd say but if um it's not something that i would hang my hat on saying if i get this certification it'll mean i may uh i shoo in for a digital forensic job yep yeah and that's the thing with you know not only sort of this particular certification but all certifications all postgraduate qualifications or undergraduate qualifications
01:34:42
it's about you know finding i guess the right balance between your objectives your existing experience um it's it's so subjective and it so so much depends on who you know as well yeah and really like these these are the sorts of discussions we like to have you know when we contact you directly you know from that poll earlier it's like these if it's not right to do xyz study certifications you know start change careers like we like to discuss why and it really depends on what you want
01:35:13
as much as anything um so there's so many options and we live in an era of you know i guess um user pays education and um certifications as sort of marketing tools and it's all like a bizarre stupid crazy world and uh certainly is really depends what you want and when you want it and why you want it and all those sorts of things um but hey let's have a long-winded chat because there's nothing better than that um when it comes to talking about postgrad education
01:35:42
and nit careers absolutely last couple of questions i'll combine scott and steve thank you very much and thanks everyone for hanging around they're talking about e-discovery is e-discovery something to do with digital forensics and during e-discovery um they're talking about evidence gathered being admissible in court and illegally obtaining evidence so let's get back to some ethics chat there um is there a bigger problem with digital forensics than standard
01:36:13
forensics in in in terms of illegally obtained evidence the opportunities for illegally obtaining evidence in digital forensics i think is the scope for it is probably larger potentially than standard forensics and and i say that with the caveat that i'm not heavily experienced in standard forensics so i'm not exactly i mean but the potential for um discovering if you like so finding things without the proper authority in a
01:36:46
digital forensic is the scope would be larger i would think so it'd be easier to do you can hide away in a closet somewhere you know alar doj cia o and i those sort of places so yeah that's definitely i think that the scope is probably larger it's also one of those things it has that potential to be larger simply because you can hide away and be a bit anonymous
01:37:18
and you can grab something and then send it off to someone and say hey have a look at this what's going on here um completely inadmissible in court just hearsay but easy to do and easy to do it anonymously so the scope for it i think is much larger in terms of e-directory e-discovery directory think about novel now in terms of e-discovery being included within the digital forensics umbrella
01:37:50
not something that we would normally discuss in either of our subjects so and not something that i would generally expect to be [Music] tightly in a ethical digital forensics environment um but having said that if we're talking about it you know being a problem then there is a potential for it i guess yeah but it's not something we would normally bracket under the digital forensic umbrella so that that's a simple
01:38:20
answer to that one as well beauty thank you uh geez very close to 100 questions tonight uh so thank you everyone for sending those in they really do as you can tell well there was too holy augment the the discussion you know you know we've got the hour of lecture and then the q a session so feel free to chuck them in um we always love them and anything that didn't get answered um just chuck it in the forum there's 3 000 of you out there listening along in some form or another
01:38:51
um just throw the ideas around have some disagreements respectfully of course and and just sort of see what you can come up with the course is as good as you lot make it really we'll try our best and if you want anything you know chuck a request in the forum as well and we'll see if we can comply um it's it's really i think you are the best resource we have in these short courses um with the possible exception of matt constable in in no no no no definitely you know we are we are all stronger than we are
01:39:22
together we are stronger than we are singularly without a doubt yeah agreed um and none of this would be possible without hannah so thank you hannah thank you hannah thank you everyone for listening thank you matt i'll leave it to you to sign off and um we'll have a chat about next week and and see you all next week have a great week well thank you guy as well um huge thanks to you you are the glue that keeps these moocs from going completely off the rails although sometimes particularly when you put those poles up that you do early in the night i question that but generally you are
01:39:53
the glue you are the thing that keeps me on the rails so thank you very much and thank you to everyone listening out there for attending uh fantastic numbers for this evening i hope you found it informative i hope you got something out of it and i hope you come back next week because we're going to be talking about data acquisition so the different theories and some different topics around acquiring data from our evidence repositories whatever they are so quite interesting next week so um please uh please turn up and i look forward to
01:40:24
seeing you all back at the same time but um yeah thank you for your attendance it's uh much appreciated to see so many interested people here holding on thank you for your questions as well so yeah thank you for me and that's that's really it for this evening

DOWNLOAD SUBTITLES: