SUBTITLES:
Subtitles generated by robot
00:02
hello everyone
thank you for joining us for the first
webinar of an updated digital forensics
series part of a short course presented
by it masters
on behalf of charles sturt university my
name is guy coward and i'll be your mc
for this webinar and for the duration of
the course
your mentor is the lovely and talented
matt constable
who i'll say today with later wherever
you're watching this we hope you're safe
and well
and well comfortable because we'll
probably be running long but before we
begin
some housekeeping all webinars for this
00:34
course will be held at 8pm
sydney time but this of course
will be across different time zones
relative to to utc time and even across
across different days so congratulations
us on excellent planning
uh we figure most of the domestic live
attendees
will be busy on the easter monday public
holidays for webinar 3
so we'll chat on tuesday um
that's also the first week of uh the
switch back to standard time for new
south wales victoria and thems that
01:05
changed their times
uh so be careful queenslanders and you
western mcgowan knights
um if you or or us
have messed up the timing don't worry
we'll make recordings anyway for
everyone who can't attend on a given
occasion or just stuffs up the time
but despite the recordings if you can
make it we hope you'll attend a live
webinars and contribute to
what is hopefully a collaborative
learning environment
we quite clearly use zoom for our
webinars and encourage
01:35
questions and the use of chat throughout
the course
and we ask that you direct all questions
relevant to course content to the q
a section and that you send all
administration type questions you know
dates details
uh resource availability and all those
sorts of things to hannah in the chat
you can chat with uh hannah specifically
or to your fellow students as well
and you can make that choice by toggling
down toggling through the dropbox
um once you open the chat log um they're
usually really
experienced attendees who'll be most
helpful with any queries you have
02:06
actually i might check another poll up
now
and ask a more sensible question
let's go poll number
one and we'll talk about
your experience levels as i'm going
through this um
yeah but anyway the the experienced
people often you know augment
the i guess people's understanding of
the content um
so so feel free to go for it in the chat
um we'll have q a sessions at the end of
each webinar
um or if and if a question is
02:42
particularly relevant i'm quite happy to
interrupt matt and
we'll talk for far too long about the
interesting questions and i should also
mention
that one of my favorite things to do is
see how much longer matt can keep a
compelling webinar running than the hour
that we allocate
there's every chance we'll run long
particularly in the later weeks
if this isn't ideal for you first of all
i'm sorry
um feel free to leave when you need to
that's absolutely fine because of the
recordings
second i i really do believe that the
extra time matt essentially donates
to us and you um totally outweighs the
03:12
downside and i'm always grateful for it
for those who have never taken part in a
short course with us and first of all
welcome
it masters is a training organisation
that exists as a partner to csu
who we work with to create and deliver a
number of master's level courses
we also market these courses on their
behalf and and hope that the best way to
do that is give
some of the way free these short courses
are essentially marketing but hopefully
a public service as well
but if we do a good job of you know
delivering these short courses
you know we figure potential students
03:44
will be encouraged to enroll in the full
masters if and when it suits them
with that marketing spiel said you know
we want this course to be useful in a
rewarding exercise in its own right
i hope you you'll learn some useful
information have a bit of fun
hopefully make some connections with
your fellow students in the forums and
there's you know three and a half
thousand people enrolled in the course
so
so um there's plenty of options there i
want to thank canada for being around
tonight and for the whole course um
hannah is basically the administrative
and technical manager for
04:15
short courses for it masters now she's
also responsible for the
learn.itmasters.edu dot au website and
the course page
which is where you find everything you
need for this course um
recordings readings forums um
tasks that we that that's um scheduled
for you if you have any questions
tonight or later on about i guess the
details of the course if there's some
contact details there and you can chat
with us
using that next week i'll
talk a bit about csu and give you an
idea of what studying
04:44
with us is all about um and how these
short courses can help you in completing
a postgraduate course of study
so if you have any questions about that
sort of stuff please hold them over
[Music]
uh hopefully i'll answer those then um
i'll also next week have heaps to say
about
some weird potentially good news after
cove about you know like government
settings that
are decreasing across because tertiary
education
is in dire trouble in terms of cash flow
and desperate for students um so
advantage you there are huge savings
available at the moment so it could be a
05:16
good time
if you've been sort of weighing it and
hasn't quite worked for you
if you like if you're keen i don't even
know when my next when
um when the next study session starts
i'll be out of the loop a bit but um
if you if you want to get going um you
can get in touch
um i just share these experience results
and it's
as usual sort of a little bit of
experience
um looking towards building some real
expertise
and so hopefully that'll be useful for
05:46
matt
and i'll go just quickly if you're if
you're keen on
uh getting going with your study pathway
because you're already
you've already made the decision you
want to get into it um just chuck a yes
in here
yes please heavens no to us contacting
you this weekend
and we can cut out the spiel and you can
get going and we'll just give you a call
or
email or whatever anyway it's time to
welcome matt and thanks for bearing with
me as usual matt
matt constable is great he has all of
the certifications
06:17
in the it world all of the
qualifications uh in the academic world
these short courses within a heaps of
fun i'll let him to go into the detail
and i'm contractually obliged to say hey
matt talk now
thank you guy as ever for
your unbelievable introduction um
i'm only glad that when you put that
first poll up i wasn't drinking
something because i would have spat it
all over my keyboard
uh and i'm glad the microphone was on
06:47
mute as well because i was laughing
quite hard
oh stop so no no thank you uh
for your introduction as ever you are
the master of all masters ceremonies
so welcome with that said um and the
backpack
the the the yes the back patting that's
it
over um welcome everyone so we've got an
excellent turnout over 500 which is
fantastic so
now this is week one obviously a digital
forensic short course now
07:17
just off the top of the bat i want to
just say something about this particular
short course and what we base it on so
this particular short course we're going
to base off a subject that is run
primarily by
charles sturt university so that is itc
597 digital forensics
under the i.t masters umbrella we also
have a
forensic subject which is ite
513 forensic investigations
07:48
and they are complementary to each other
and will be you know more complementary
to each other in the near future when we
develop redevelop our subject that we do
at iit masters
so this particular course though is
based on this
this core subject and i first of all
want to acknowledge
dr araf khan who is normally the
lecturer at csu that takes this
particular subject through most sessions
for his contribution to the content that
08:18
is coming up over the next four weeks so
the slides are largely based on content
from that particular subject to give you
some insight into what
that subject's all about and where
appropriate i will
add some information into the mix that
also will point you to
the differences between this particular
subject we base this
this course on and the elective subject
that we do at itune masters
so without further ado let's get this
show on the road
08:49
so this evening we're going to talk
about a introduction to digital
forensics so
look at some definitions and some
introductory
uh information so i noticed in the poll
that uh the first serious poll
that god had up earlier that there's a
little bit of a mix so there's a few
people with some
experiences but are looking to mainly
augment that awesome reminders
so please you guys out there that are
experienced
if you feel you want to you can add
something to the conversation then then
please do so i'm happy for
09:21
people to interact and help each other
out i will also
say that particularly when we talk about
the areas around
investigations and law and legislations
this may vary from country to country
and
and state to state or jurisdiction to
jurisdiction basically so
uh what i'm talking about is where i am
particularly both so keep in mind that
with the legal side of things it may be
different
wherever you are in the world we'll then
look at
09:51
some of the topics introductory topics
that itc 597 looks at
so that's a digital forensics course and
then
we'll start to unwrap some of the
forensic tools
and in the next few weeks we'll we'll
look at so next week we look at data
acquisition the week after
we look at forensic investigations
around operating systems
social media email virtualization so
some topics around
that and then in the last week we're
going to look at some specific
10:22
tools forensic tools that you might use
because there are literally millions of
them and
there is no limit to either the
complexity
or the simplicity of the tools that you
can use in performing a forensic
investigation it really just depends
on what you're comfortable with and what
suits the actual
investigation that you're undertaking so
about me
i'm not going to read through all that
but i've been around the traps for quite
a while now
uh worked in networking security
10:54
wireless voice over ip contact center
across a number of different industries
i've been on customer side and
integrated side of the fence
so i like to think i've got a pretty
broad experience base that
pretty comprehensive experience base but
there will be those of you out there
that will
you know make that make me look like a
beginner so by all means
please don't think that uh iron the bill
and endor and have all the answers
there'll be plenty of answers out there
that you guys will have too and i would
invite you to bring them to the table
11:25
uh as often uh as you like both
in these sessions through the q a uh
application and also
in the discussion forums on on the
moodle website as well
uh before you go on matt um he's being
modest everyone but also uh
some of the people in the chat are
asking about your phd how that's going
um because they are not they are it was
sebastian
uh because of course matt does a lot of
these short courses and we had uh
one course one session we talked about
11:56
it
um so uh all right
i heard it was good all right i'll give
you a very very
brief rundown of where that's going yeah
it's going good
okay so digital forensics definition no
no we're
going well at this stage so thank you
for those who've asked and
no i haven't finished i'm about halfway
through in terms of time so
come back and ask me about that in a
couple of years time
i'll probably still be doing moocs with
um my good friend guy at that stage
12:26
bloody well hope so so do i all right so
digital forensics the definition this is
what we're going to
uh this is the definition we're going to
use within our context for this
short course and also used within the
context of
the subject ite 597
so it is the application of computer
science
and investigative procedures for a legal
purpose
involving the analysis of digital
evidence
after proper search authority chain of
custody
12:57
validation with mathematics that sounds
interesting
use of validated tools repeatability
reporting and possible
expert presentation wow okay there's a
lot there to unpack isn't there
what we're basically saying in a
nutshell is we're using
computer science and computer
computerized digital tools
and we're using procedures that we
borrow
really steal from the normal you know
typical forensic investigators and
13:27
detectives and police work
so they're the same investigative
procedures okay now
it does say legal purpose but we can
also use our digital forensics
for internal company investigations as
well so it may not be
that we're actually investigating a
crime
as by a definition of a law but we may
be
investigating a infraction against
a particular policy within an
organization so then that becomes a
13:58
human resources issue
we still need to provide evidence and
a detail of what actually happened with
that infraction so that we can then
go and touch up remediation action with
the person involved
so it doesn't always have to be legal
okay for the purpose of the subject itc
597
we spend more time talking about the
legal side of it but it can equally
apply
to a non-legal investigation as well
uh search authority okay so that's
14:29
talking about in a legal sense getting
your
search warrants and those sorts of the
legal side of that so you can actually
go out
and search and seize evidence chain of
custody is something
um you you probably don't hear about it
as martin 597
but in the subject i run 513 forensic
investigations we
beat chain of custody to death with a
very large stick
so we talk about it a lot and it's a
very important concept to get your head
around
from a digital forensic perspective
validation with mathematics i know that
15:01
will you know that will have people
up and ready and listening and ready to
go
but really it's quite boring so we
probably won't talk about that too much
but there is some mathematics involved
but you know you don't need to know any
of it obviously
and we'll talk about that when the time
comes so hopefully uh
that'll be might be early in the slide
so you don't go to sleep before i'm
finished
validated tools repeatability reporting
okay that's all about making sure that
using tools that are appropriate for the
job it says validated tools that's
15:33
validated from a technical
expert perspective and as i said before
they can be really really simple tools
like things like traceroute or ping
or notepad they are valid forensic tools
depending on what you're looking for
depending on what you're trying to
achieve
repeatability is just about being able
to do the same action and get the same
result
so again that's that's proving that the
process that you use or the tool that
you use
is actually fit for purpose and gives
you the desired result
so if you use for example you're
16:05
investigating something
you use two different tools and you came
up with a completely different answer
not good we don't want to do that
particularly from a legal sense we need
to have
repeatable repeatable
endpoints and then the possible expert
presentation is about you as a forensic
investigator
actually standing up in some forum
whether that's in a
court or uh in a boardroom somewhere
actually talking about what it is that
you've found in your investigation
16:36
so there's a lot there's a there's a
whole heap of stuff to unpack
in that simple uh simple different
definition
there is a nist definition now nist is
the national
institute of standards and technology
they're a american government
organization
that have a veritable plethora
of documents relating to security
all things security all types of
security security design
you name it they've got it and if you're
not familiar with them i wholeheartedly
17:09
recommend that you
surf across to their website
www.nist.gov
and have a look at the resources
available because particularly for those
of you that don't have a strong security
background
that will be fantastic uh information
for you there
so what did nist say let's say that the
it is the application of computer
science and investigative procedures
involving the examination of digital
evidence that sounds familiar
following proper search authority chain
17:39
of custody validation with mathematics
use of validated tools repeatability
reporting
and possible expert testimony well where
did we get that first one from
i think that's probably come straight
from this
it's also the application of science to
the identification
collection examination and analysis of
data while preserving the integrity of
the information and maintaining a strict
chain of custody
for the data now you could easily take
those digital
and computer science references out of
18:10
that and apply that to
forensic crime investigation it's
exactly the same thing
so what do you need to be a successful
digital forensics practitioner
well you need to have lots of knowledge
about computers and technology
both contemporary and legacy so that
means you need to know about
old stuff as well because there might be
an occasion where you need to
investigate a crime
that's been perpetrated using a windows
xp device for example and if you have no
idea what windows xp is you're going
18:42
to find it difficult
as a very simple example but you need to
have lots of knowledge
a broad range of knowledge you don't
necessarily have to have
an in-depth knowledge like really really
deep level of understanding so you might
be
say it for instance if you want to do
network forensics doesn't mean you have
to go and get a cisco certified internet
working expert certificate
okay you don't have to be a ccie but you
do have to have a good
broad understanding of network
19:13
architecture
switching and routing so on and so forth
okay to to intelligently
be able to investigate in that sort of
environment and
that's a that with computers uh whether
it's storage systems whether it's
looking at
email forensics virtualization uh social
media whatever
you're looking at you need to have some
level of knowledge a good level of
knowledge about that particular area
in order to be able to successfully
investigate in that area
and if you don't you need to know where
19:44
you can go to find out that knowledge
from a trusted reliable source
or pass it on to someone who does have
that knowledge
you need to be professional about your
conduct well that's hardly going to be
surprising i mean
um all of us who are in professional uh
in professional vocations or
professional um
jobs you know we we have a certain level
of professional conduct that we have to
adhere to
being a digital forensic practitioner is
no different and particularly from a
legal perspective
if you're working in on legal cases then
20:16
there needs to be a high there's a
higher level of expectation around your
conduct
the sense which is not so common but
needs to be so
common sense is something that you need
so not to
take leaps of faith or jump to rust
conclusions but to sit down and
analyze things think about things and
you know apply what you know to the
things that you are finding in your
evidence gathering
and and try to make sense of it in some
coherent way
i mean you need some common sense you
need ability to think
20:48
outside the box so that's to think a
little abstractly or a little
differently
so not be caught in in too many
with tunnel vision and and maintain so
much focus on something that you can't
see
outside that little sphere an attention
to detail is really important as well so
you've got to be able to
you know dot the eyes and cross the t's
and really go over things
really carefully to make sure that you
don't miss anything
and then probably most importantly in
21:19
all walks of life because no matter what
you're doing
to be successful you must be persistent
okay you have to be braver for five
seconds longer than someone else
and you'll succeed okay you just have to
keep pushing
almost impossible to beat or overcome if
you never give up
so persistence yes it's a dot point on
this slide
useful as a digital forensic
practitioner but applies to anything you
do in life if you're persistent
you will ultimately succeed and you'll
21:50
get to where you need to be
so sorry about just a couple quick ones
uh absolutely of course this is a
refresher
course um how much has digital forensics
changed in the six years since we
we last did the short course
in terms of what the subject or as an
industry as a whole i would say the i'm
i guess i'm more interested in the
industry as a whole you know like the
subject
changes as well i mean i guess
as we were sort of alluding to before we
22:21
actually started this evening
you and i had a bit of a conversation
about this and i think the main way in
which it's
changed is probably the tools
and and the focus so that the types of
investigation that you you might be
doing
so in terms of a digital forensic
perspective obviously you know we're
looking at digital systems we're looking
at iot systems they're looking at
computer crime
so the evolution so computer crime
evolves all the time
like say for instance the last time we
ran this course we probably weren't
really talking about ransomware all that
22:52
much
whereas we'll talk about that a little
bit in uh
i think week three or week four i don't
know somewhere along the way anyway
we'll talk a little bit about ransomware
so the the focus
um that we need to have in terms of what
sort of crimes we're investigating has
changed somewhat and obviously the tools
uh are getting better and more
sophisticated and more varied
so as i said before you could still have
really simple tools
and you can opens you can be a perfectly
adequate
23:23
you can have a perfectly adequate
forensic toolkit using open source tools
if you're comfortable in that space or
you may find you know you could you
could pay
thousands tens of thousands of dollars
for the either bespoke or commercial
um forensic packages that you can buy
like encase and things like that
but so so they're probably the two main
things i think that have probably
changed the most
is the tools and the the potentially the
types of crimes that we're looking at
they evolve all the time
23:53
in terms of the process the legal
process
the process that you go through as a as
a forensic investigator
not a lot of that has changed you know
the way you investigate
a computer perpetrated crime is still
you know the same now as what it was
five years ago there's still certain
steps and checks and balances that you
have to go through
and and a lot of that involves around
this concept of chain of custody
rules of best evidence and making sure
that we're able to provide
the best evidence to the the court or
24:25
the
um disciplinary hearing if you like
in a in a non-legal sense providing the
best evidence to that that we
that we can and a true reflection of the
facts
and so the actual process itself has
changed
uh relatively little and and it will
probably
remain so for forever and a day
does that make sense yeah heaps um
yeah let's keep moving we'll leave the
rest till the end okay
24:56
so in terms of maintaining our
professional conduct so we're talking
about our ethics our morals and our
standards of behavior
so basically don't be a crooked forensic
investigator
the idea is that you know you you follow
all the processes that we
you know that we talk about in this
subject and probably more in
the forensic investigation subject so
the 513 subject that it masters offers
and we talk about chain of custody and
the rules of best evidence and the
investigative
process and and the order in which you
25:25
do things
and that's part of your ethics and your
morals is keeping to that
not jumping the gun not making
assumptions
uh not trying to find things that aren't
there so just
follow the bouncing ball and keep to the
script and that that sort of really
that's a really key point around that
professional conduct
um and we can talk about more obvious
things which i don't really want to but
you can mention them in terms of
you know the typical things not taking
bribes or you know someone's saying hey
25:56
if you lose that bit of evidence i'll
you know
um i'll buy you a case of beer or
whatever it is
you know those sorts of things they're
pretty obvious
things that everyone thinks of but what
i'm really
want to in impress on you
is that the ethics and morals and
standards are really more around the
process
in which you carry your investigations
out more than anything else
so to help with that we've got to
exhibit
26:26
the highest level of behavior at all
times so really important to maintain
our objectivity
okay and that can be really hard
sometimes depending on the crime
that we're investigating there are
certain crimes
that are very difficult to or certain
anything like certain incidents
that will resonate with you on a
personal level
for instance things around abuse of
children
for a lot of people are really hard to
handle because
you know a lot of us have kids we love
26:58
our kids dearly and we hate to see
kids in that sort of defenseless
children and that sort of
in that sort of environment and so
you've but you've got to be able to
abstract yourself from that
and look at things really objectively
because otherwise you end up
going down a rabbit hole and end up
somewhere that you don't want to be
or it will damage the investigation and
in which case
you know you've lost the whole point and
you've you've gone against everything
you want to go against anyway
and then maintain your credibility by
maintaining confidentiality so don't go
27:30
blabbing around everywhere
what you're doing and what you've found
keep it keep your cards close to your
chest
that's you know that's that's ethical
behavior telling everyone what you're
doing and why you're doing it
is not ethical behavior
standards of standards of in of skills
is also really important as well so you
should make sure that you keep your
skills
up to date okay yes we have a skill set
around
the investigative processes but we've
also got a really
28:01
high level of skill requirement for the
technical side so
you know it's all right to say you can
get
forensic tools that will do a lot of the
groundwork for you and put everything
into a nice database and spit out
reports and all this sort of jazz
but you still have to you know as a good
forensic investigator you must surely
want
and must be able to know the ins and
outs of
every tool that you're using so that you
don't make mistakes because if you make
mistakes
you jeopardize the output so the
28:33
evidence of your investigation so it's
really important that we keep our skills
up to date
and if we're going to go into a
different area of investigation so we're
going to do some network forensics and
we don't know much about networking
then don't start doing those
investigations until you've upskilled
appropriately
pass it off to someone else get some
help in or decline to take the case if
you're an employment investigator
the basic idea is stay in your lane yeah
stay in the lane understand what you're
good at and keep to your strengths
because if you don't you can jeopardize
29:05
the output of
you know or deposit deputies a result of
some very
very serious crimes and court cases
potentially if you get it wrong
or even in the easiest scenario if you
talk about
an investigation within a company itself
to just an infraction on a
you know an email usage policy for
example you might
end up getting someone fired for
something they didn't actually do
okay if you if you don't have the
expertise you don't maintain
29:36
objectivity and you don't keep things
quiet
okay in terms of the digital forensic
roadmap there are typically eight steps
that we talk about in this particular
subjects
so they are search authority so that is
search warrant or an authorization
letter in case of corporate
investigation so that's just giving you
the go ahead someone above you someone
with moral
authority with you and with the
authority to do so is giving you
permission
30:06
to investigate that's number one if you
don't have that
nothing else matters chain of custody
so that's making sure that any evidence
you find
that from the moment you find it time
and date
to the moment you present it in court
time and date
everything that you do everything that
is done by
others to that evidence every
trip that evidence takes every journey
it takes every
where it is stored everywhere it is
30:37
referenced everywhere it is
tested everywhere it is used is
accounted for
that all has to be completely documented
that's the chain of custody
so that shows if you get it right that
shows a completely unbroken link
from the moment you find the evidence to
the moment is presented in court
you can account for every single step
every single operation that's occurred
on that evidence every single part of
the way
of that journey and again if you don't
have that that then allows
31:09
defense to come in and say well there's
some doubt here what happened in this
area here what happened at this time
you know how do we know that something
wasn't changed you've changed the
evidence in this time so it allows them
to introduce doubt
and that in a criminal sense is all they
need they need a reasonable doubt
on your evidence to have it thrown out
or have it disregarded
okay we then have imaging and hashing
functions so this is where the
mathematics come into it
and i'm not going to bore you with the
details of it but basically
we create an image or we create an exact
31:41
bit for bit
copy of the device that we're trying
to and you know we're talking about disk
drives or solid-state drives or
some sort of memory device some sort of
storage device we create an exact
image of it and in fact we create more
than one image
because if we only create one image and
through the process of our
investigations we completely
mess it up and destroy it we've got to
go back to the original again
and every time you go back to the
original you run the risk of introducing
32:12
errors or introducing changes to that
original data
that original evidence and we don't want
to do that so we take a
an image of the original evidence and we
then make copies
of that image and we then do our own
investigations
only on the copies okay so this is a
absolute golden rule of digital
forensics we never
well when i say never there are
circumstances where
there are times when you will have to do
investigation on the fly on the original
evidence
32:43
but if you can avoid if at all possible
to avoid it
you would make a copy of it take it off
site and then do your investigations
there
the hashing function is a mathematical
function
so a hash is simply a tool or a hashing
tool is simply a tool
that you if you like you process the
evidence that you're looking at using
this hashing tool
and it spits out a value okay a fixed
value
now that fixed value is completely
unique
33:13
to the evidence that you have run
through the tool
so if that evidence changes even just
you know you've got a so you've got a
word document
and you add a full stop to that word
document and then run the hashing tool
again
it will spit out a different value and
so you automatically know
that something has changed you might not
know what has changed
but you know that something's changed in
that document
so that's a way of proving the
authenticity
or the integrity if you like of the
evidence that you're looking at
because you've run a hash out of the
original this is a value we've got
33:44
we run a hash over the image we get the
same
value spits out therefore the two copies
must be identical
if there's a difference in the hash
value that's spat out
then the images are different and we
have to look at why they're different
because there's no point investigating
an image if it's not an exact replica
of the original validated tools so
validated tools is really just saying
use tools that we know work
and we know provide a fixed output
34:15
we know what we're going to get from
them so don't go using some experimental
tool that you're not sure what's going
to come out of it
we then analyze so we analyze what we
found
analyze the output from the tools that
we've used
we then pass it through a quality
assurance process
which is really just making sure that we
run a tool
get the result analyze it come to
conclusion a
we might run the same tool again
look analyze come to conclusion a again
beauty
34:45
we might run a tool analyze come to
conclusion a
then we might run another tool a totally
different one
output data analyze still come to the
same conclusion
okay we're going well okay so we've got
content and we've got construct validity
so we've got validity using the same
tool so we know we get the same
repeatable outcome and we've got
different
validity we've got two different tools
that provide the same output
okay so we're going well we're doing all
35:16
the right things
we then have to report so obviously
that's what we need to do in the end
we go through the uh we see the
evidence we get the evidence that we can
offer
through our investigations we validate
it we're sorry we
validate it we analyze it we come up
with
some hypotheses or some facts about what
happened
we write that down in a report and we
submit it
to whoever hired us for the case whether
35:47
it's
a police investigator a lawyer or
attorney
or an organization and then we might
have to
possibly be an expert presenter
either in court or just to a board room
full of people
if we look at digital forensic versus
other disciplines
we come up with this thing called the
investigations triad
now the investigations tried for those
of you that
have done the cyber security
fundamentals
a short course or some of you may have
36:19
actually done the subject as well
because i know there's some current
students out there in mooc land
you might be familiar with the cia triad
or the cia dad triad
and this is sort of the digital
forensics equivalent of that and by the
way if you're not familiar with either
of those it doesn't matter
so on this side we've got vulnerability
and threat assessment and our risk
management
so that's about understanding what our
assets are
what the threats and vulnerabilities to
those assets are
and how much they really effectively
36:50
mean to our organization
so we provide a risk rating based on
the value of our asset to us as an
organization and what the likelihood
is of it being impacted by some
vulnerability or threat
we can do network intrusion detection
and incident response so that's about
our alerting and monitoring and
potentially
incident response in preventing blocking
getting ourself back to normal area
normal operations and then at the bottom
of that as a platform of that we have
37:22
our digital investigations okay and all
three of these
interact together in order to
work in harmony to provide a complete uh
secure solution or a more complete
secure solution
developing your digital forensic
resources okay so
as i was saying at the top we need to be
familiar with a lot of different things
so you've got to know more than one
computing platform
you might have to know a bit about dos
old yes legacy
37:54
definitely dead in the water probably
you might come across it
windows 9 t5
windows xp good golly how long ago do
they go out
but you might come across them so it's
good to have a working knowledge of
of the operating system underlying and
it's much
simpler than the current operating
systems in in a way
linux different flavors okay there's
lots of different versions of linux
um at least be familiar with a couple of
them macintosh dare i say mac os which
38:25
is really just linux underneath anyway
let's face it
uh and the current windows platforms as
well
so and dare i say i'm going to add in
os2 there wow if you ever see that
please
send me an email because if you ever see
that i'll be absolutely
flabbergasted there's probably a lot of
you out there that haven't even heard of
os2
but look it up it makes for funny
reading
there's also network operating systems
as well so things like
novell netware although it's called end
38:57
directory or some other thing now i
can't remember it's been years since
i've worked with it
and windows is obviously a network
operating system but there are others as
well
that you may come across you also need
to be familiar with the new technology
so
cloud and social media and smart devices
byo is a big thing now
so we need to be familiar with that sort
of thing as well tablets and the
different phone systems
again we'll look at those in week three
in a bit more detail
join as many computer user groups as you
can
39:27
there's a few of them there that you can
potentially look at and there'll be
others
in your own country depending on when
you're coming from
but there's lots of different resources
out there on the web
that you can find user groups facebook
groups
you know message boards all sorts of
things that you can join
to help to expand your knowledge the
more you know the better
develop your resources again so exchange
your information about techniques
related computer investigation
and security so exchange with other
39:59
people interact with other people
through this online course you've got
access to discussion forums
build your networks start to talk with
other like-minded people
build your skills base user groups can
be helpful
absolutely build a network of computer
forensic experts and other professionals
look up people on
linkedin look up people on facebook okay
look up some of the research networks so
researchgate
is a really good website you can go to
as well so
you can register with that for free and
40:30
you can get in contact with other
forensic
researchers and they can help you out
yes they're probably more on the
academic side but they'll be able to
help you build contacts
you'll get referees you will you'll find
other resources that you won't
necessarily get from the
industrial or the industry sources
uh keep in touch through emails and um
other networks so your social media
networks get professional
certifications such as a cissp
40:59
okay if you're doing network forensics
look at the
systo certifications or the juniper
certifications or maybe the
if you are desperate the comp tia
certifications
um they're more entry level but you
could start there okay try and build
yourself
the more knowledge you have on all these
different areas the better you'll be as
a
as a digital forensic investigator i i
used to say
um as i was coming through now the ranks
over the 30 odd years that i've been in
the it industry
i started in you know as most a lot of
41:30
people will have on a help desk
i then moved into desktop support then
network operating system support
and then i moved into networkers had
pure networking routing and switching
and then into security and then the
voice over ip and then into contact
center then into wireless
and all these different areas all these
different layers of knowledge start to
build up
so even though now i would not i could
not put my hand on my heart and say i am
a
world leading expert on any of those
things because i have such a broad range
of experiences and
42:01
there'll be many of you out there in the
same case
you'll be able to apply those really
well to digital investigations
and provide that knowledge that you've
built up over many years
of troubleshooting and designing systems
and apply that to digital forensics for
those of you that don't have those
skills yet
it doesn't matter you'll get them it
takes time you can't rush experience
okay you've just got to live through it
so
go out there and have a go do whatever
you can to get whatever experience you
can because
42:32
while some things might not lead to what
you expect
there are no bad experiences really
they're only
experiences depends on how you react to
them
and how you use them in the future
so types of digital investigations we
can have two categories we can really
have public investigations or we can
have private or corporate investigations
public or private yeah okay bit blamons
there but
anyway that's the way it's written so
public investigations involve
government agencies so we're talking
about criminal stuff criminal
43:03
investigations
prosecution where we need things that we
need search warrants for
most australian states and territories i
don't know why that says most i would
have thought it would have been all but
as i said at the top of the hour i'm not
an absolute expert on the legal side of
things
australian states and territories
require search warrants to search a
person or premises
most countries in the world require that
as well
there are some that don't but
most countries in the world certainly
require that legal
43:38
processing in terms of the private or
corporate investigations these deal with
private companies so non-law enforcement
they may or may not be lawyers or
solicitors involved
they're not governed directly by
criminal law but they could potentially
lead to criminal investigation depending
on what the outcome
is and these are generally governed by
some sort of internal policy or some
sort of governance
or acceptable usage or acceptable
behavior policy
that we expect our employers to behave
44:11
that we expected them here to some some
sort of code of conduct
and they've broken that and so we're
going to perform an investigation
and either give them a warning which you
have to do you need three
formal warnings in australia before you
can be fired
um depending on how severe the the the
breakage of the
infraction has been um
yeah so that needs to be done before we
can
have any remediation if we
just take a step sort of sideways and
44:43
look at the
law enforcement agency investigations
there's a couple of
definitions that we sort of need to have
an understanding on we've got a digital
evidence first responder so
this is a person that arrives on the
into the scene
initially assesses the situation and
then takes precautions to acquire and
preserve
evidence now the first responder may not
necessarily be anyone with any digital
knowledge whatsoever or very much
but their job is to just make sure that
nothing's touched
45:13
that everything remains as it is okay
if they do have some sort of digital
background then it's to maybe
take some photos of things make some
notes about what's on the screen of a
computer or the layout
of particular peripherals or system
settings or whatever
but it's not necessarily to do anything
actively it's passively looking
seeing what's going on we then have the
digital evidence
specialist so that's the school
investigator that comes along
45:44
and starts to determine what's going on
determine what evidence and data is
potentially there what we could
potentially seize
and then determine ultimately whether
there's other specialist
people with special skills that need to
be called in to the investigation
and then lastly an affidavit is a sworn
statement of supportive facts about
evidence or a crime
so in other words this is a statement so
a legal statement that you
that you give to say this is what we
found
46:16
this is what the the facts are as we see
them as
investigation has seen so far and
they also will include exhibits that
support
whatever the content of the affidavit is
so you can't just
make a baseless claim you've got to have
some evidence to back it up
in criminal cases a suspect is trialed
for a criminal offence okay like a
burglar or murder or molestation
something like that
computers networks are only tools that
can be used to commit
crimes and many states in australia have
46:51
added specific language to the criminal
codes
to define crimes involving specifically
involving computers
so digital crimes or digital forensic
investigations
isn't just about investigating digital
crime so things like fraud
or theft of intellectual property or
denial or service attacks those sort of
things or ransomware okay
it's also about invest finding evidence
associated with other physical crimes
like burglary or murder or assault
47:23
or car theft okay because those crimes
can also be
perpetuated using digital resources
obviously phones for example text
messages
emails okay social media
all these sort of things can be used
following the legal process the legal
process that you need to follow will be
dependent on your local custom the
legislative standards and the rules of
evidence
that you are bound by in your
jurisdiction okay
so um we're not going to within this
47:54
online course we're not going to talk
too much about the details of that but
just
be aware that they will exist and that
they will be different
depending on where you are in the world
depending on where state you are maybe
depending on which county or town you're
in
okay so you just got to be aware of
those as well
a criminal case will then begin when
someone finds evidence of an illegal
act someone will make an
allegation an accusation or a
supposition of fact
the police will then offer the police
48:28
will then
interview whoever makes that complaint
writes a report about the crime it could
even be that it's just
witnessed by the police or it's an
investigation that starts through them
and then the investigators will delegate
collect and process the information
related to that particular complaint
and that's where we as digital forensic
investors come in but they'll also be
other investigators
that aren't handling digital assets that
will come in and look at that
as well so it's the same process whether
it's real
a real physical crime or a digital crime
48:59
on a private or corporate investigation
these will involve
you know regular companies of any size
could be small could be huge
and potentially lawyers or solicitors
who address
the company policy violations and they
litigate in the disputes
related to those so in terms of computer
corporate crimes corporate computer
crimes it might be
something around email harassment
whether that's
of a sexual nature or blackmail or
something else
might be falsification of important data
49:31
or
say theft of intellectual property it
could be gender and age
discrimination which does exist it might
be embezzlement
it might be as bugs bunny would say
sabotage
or it could be industrial espionage okay
so all of those
more bugs bunny content please okay
right oh i can do that
and do some i can do some porky pig too
so sabatagi or
industrial espionage okay they are all
valid computer
uh corporate computer crimes and but
it's not exhaustive there's lots of
50:02
other things that may occur
um in that i mean you could always you
could also
no i won't take it down that path i'll
i'll i'll leave that for the next one
next week understanding corporate
investigation so establishing the
company policies
is really important so as an
investigator we need to understand
and establish an understanding of what
the company policies are
around the allegations that have been
made
which is a really good way to avoid
50:35
litigation
by publishing and maintaining policies
that employees
know about they can read them they're
not ambiguous
and they know that they are bound to
follow them okay if you've got that
then if they do something wrong you've
got a leg to stand on
there's somewhere you can take it if you
don't have those
company policies they're not established
they're not easily accessible they're
ambiguous
or they can't be impossible to
understand and
people decide that don't follow them
because there's not
51:06
company or management support for those
policies then
you're in a world of hurt and your
investigation is not going to go
anywhere so we need to make sure that
they're published
they're concise they are comprehensive
so across everything that we want
associate a
behavior to be ruled or managed on and
they
are unambiguous well-defined and in a
place where everyone knows they are
and can get access to them freely and in
fact in my opinion they
51:36
should be part of every induction
process for all new employees
songs are relevant to their job function
now one example that business can use to
avoid litigation
is to simply display a warning banner on
computer screens
so like this one says service is for
authorized clients only so if you're not
an authorized client
you can't get on the only thing i would
say
is that it is not clear necessarily
52:08
who with all who is authorized so you
could potentially
claim that oh i didn't know i was
authorized i thought i was authorized
for this particular system
okay so there's some a little bit of
ambiguity there in my opinion with that
particular
bit there but that's you know
banners these sort of banners are pretty
commonplace particularly in larger
organizations
uh designating an authorised requester
so an authorized requester has the power
to conduct investigations and
policies should be defined by the
52:40
executive management again you need
um support from upper level people if
you don't have that
doesn't work there are certain groups
that within your organization that
should have direct authority
to be able to go and request an
investigation if they think
some policy or procedure within their
company has been breached
okay and these include these guys here
so
corporate security investigations the
ethics office if you've got one equal
opportunity
equal employment opportunity office
53:10
internal auditing or general counsel or
legal department
if you haven't got those groups within
your organization
then someone needs to be have that
authority to
ask for an investigation to perform the
investigation themselves depending on
the size of your organization
when we conduct their security
investigations we have to be aware of
the type of situations that we might
find ourselves in
so are we looking at abuse or misuse of
corporate assets so we look at email
abuse internet
abuse in terms of abuse i'm not talking
53:42
about literally swearing or abusing
someone
i'm talking about misuse of that service
for an unauthorized means
okay so those those three examples there
are handler might be handled slightly
differently email internet
you know misuse uh closely related but
misuse of corporate assets what does
that really mean
are we talking about laptops servers
switches routers you know what are we
actually talking about it's going to
depend
on the job role that you're fulfilling
54:14
we need to be sure that we distinguish
between
the company's abuse problems and
potential criminal problems because
there's
a fine line sometimes between misusing
company assets and
being the criminal areas in which case
the investigation becomes different
the burden of proof becomes different
the process becomes more stringent
because
the chain of custody and the rules of
best evidence
suddenly become a little heavier
54:47
and then we have to consider what
happens when a civilian or corporate
investigative agent delivers evidence
to a law enforcement officer okay
because
as i just alluded to the burden of proof
is slightly different or maybe different
distinguishing personal and company
property so many company policies
distinguish between personal and
computer company computer property
and that's because people like to bring
their own devices um it's good for it
can be good for the company
because it means they don't have to
outlie in assets
55:19
but it also can bring a myriad of
problems particularly from a technical
aspect in terms of how can we connect
this device to a network header can we
protect our network against
crime or viruses or other you know
malfunctions coming from those
particular devices
from a general sense um then from an
investigation percent
perspective we have to have that
understanding of when
is the use categorized as business use
and when is it categorized as personal
use
55:50
and what's the overlap and you know
there's some
dodgy ground that you're you know pretty
soft ground that you're standing on
there
skating on thin ice to use another
analogy so
you need to be careful that you have
that understanding of
where that line between personal and
company property and personal and
company use is
because if it's outside you know the
policies of the company but it's
still criminal then there might still be
an obligation to report it
there's a different a different phase it
56:21
opens up
some useful forensic tools for your
learning so this really leads into
later on in our online course but these
are all
tools that are useful for you to have a
bit of a look at and they are all tools
that i use
in the subject itc 597 which i said as i
said the online course is based on
so do have a look at those we'll
actually the first
hands-on activity for this week actually
involves this one here
56:53
autopsy so you need to download that
and then there's some resources on the
moodle site that you can download
there's a
a chapter or some pages out of one of
the chapters of the actual textbook that
we use for
this particular subject and there's an
activity there that you can follow along
with so you don't have to have any
experience
you just need to download this
particular package here with a puppy dog
install that and then there's a file on
the moodle site which is a disk image
file
you can download that and follow the
57:26
investigation
in the pdf snippet from the chapter
so that's your first online task for the
course um
os forensics is something we looked at
in the last week in fact i think we look
at all the fk
ftk image a light comes up as well uh
win hex comes up in a few slides as well
so these are all tools that we will
reference over the next four weeks
and you may find will be useful for you
to start playing around with
they're all free or there's free
versions of all of them
57:57
that you can have a look at os forensics
is a commercial product but you can get
a free
limited version of it which we'll have a
look at in
week four and you can use that to get
some familiarity with tools
if you you haven't got any uh idea with
forensic tools at this stage
and there you go hands-on activity topic
one download autopsy
using that link and away you go then
read the pdf document hands on activity
topic one it's called so that's on the
moodle site
and then there's this file here which is
58:29
the accompaniment to it
and then if you read through that pdf
you'll be able to go through
the particular investigation step by
step and get some experience and get a
bit of a feel for what
the digital forensic uh uh
area is like and there you go
guys now i have finished
one minute over now i know i know you're
going to say
i haven't answered any questions yet but
no i'm very
i've finished and if we consider that
59:01
you probably took up 10 minutes at the
start i'm actually oh yeah
that's they've probably done pretty well
for me but just
for everyone's attention um this will
slip out drastically particularly when
we get to week three so be prepared for
a big one that week
so right guy over to you four questions
if you've got any
there's plenty of them um
no no you've done your lecture and
that's the thing now people can hang
around and listen to the
questions there's still 570 of you
around so that's bloody great
well goodbye retain them yeah and now
they're all asleep
59:32
and forgotten no i'm sure that's not the
case um
thank you matt uh just a
couple of quick ones um if you hate the
chat that's okay
um you can work around that there's many
ways to do that
and hannah takes you through it a few
times each webinar my favorite is to use
the second screen
and hide it on the second screen maybe
even turn it off um
but there's a bunch of really good
questions um and i want to start with uh
i guess the job market and the job role
01:00:03
range
um which is something that i guess i'm
really
focused on as part of it masters is
about application of the theories
to various enterprise settings um so
there's questions from
where's for example would you could you
pick an area
and develop a forensic expertise in that
area not withstanding your advice to to
like really you know learn a few things
but if you have a broad knowledge
is there the potential is the job market
there
to sort of specialize in a particular
area there's also a question from an
01:00:34
anonymous attendee
um you know are these investigations
done by an individual or a two-person
team um
what sort of options are there for
people
um well there's a lot there's a lot
obviously you can get into
um i i guess okay
let's look at it from first of all if we
look at
law enforcement type investigations now
generally to be a digital forensic
investigator
01:01:03
in the law enforcement field you would
i can't say for certain in all states of
australia because i don't know
but certainly in some states of
australia the ones that i know about
you actually have to be a police officer
for a start so you've got to have that
expertise if you like that that that
badge on your cv
now then on top of that you would then
um
then you would then apply to go into a
digital forensic area
um and whether you would get into that
01:01:35
would depend on
a number other things let's face it if
you're straight out of high school
straight into the police force you're
there for three or four years
and then you apply to become a digital
forensic investigator
then the expectation is you're probably
not going to have
the skills that you're going to need for
a start and you'd be trained on the job
okay so that's
that sort of sold on it you may also
come into it from
having an extensive i t background in
say networking or servers or something
you then join the police force
01:02:05
and then you become a forensic
investigator with the aim of becoming a
friends investigator or you could
potentially do that with the afp
here in australia as well or
yeah or other government agencies if you
know what i mean
so you could certainly take that path so
law enforcement
is probably a little different
in comparison to the private
investigation side
with the private investigation side
obviously you have you have the two
two options of either working for
01:02:38
yourself
and if you do that if you want to do
forensic investigations at a corporate
sense you're not going to be able to do
law enforcement type forensic
investigations
self-employed for a start that's that's
just not going to happen
that's not available to you but you can
certainly do corporate investigations
um and in order to do that however if
you were to be self-self-employed then
you would need to have
a really broad range of skills so that's
what i'm saying before
01:03:08
you know learn as much as you can about
as many things as you can
now i wouldn't advocate someone go
into digital forensic investigations
straight out of uni or straight out of
high school i think that's
you know that's way too much to ask it's
the sort of thing that you build up to
over many years
so you might you might for instance so
decide that
you've been working in server operating
system let's say you've been working
with active directory and windows
systems for
you know five ten years and you decide
that you want to do investigations
01:03:40
uh around that particular operating
system
you can do that okay the the opportunity
is there for you to be
specifically a investigator around
windows systems
now is that necessarily going to help
you
if you uh so i guess what i'm saying no
okay
i'll take that back if you're going to
then do
investigations and you're going to
specialize as a windows investigator
then
you're going to have to work with other
people because digital
01:04:12
crimes are not typically perpetuated
using
one type of digital technology there are
usually multiple digital technologies
involved particularly in that corporate
sense
okay so you need to either work with
someone else or have that broad range
of expertise so i think my my overriding
advice is
while you can do certain parts of an
investigation with very specific
technological skills so say networking
or
security or server based skills
01:04:44
in general if you only had one skill set
you would find it difficult to do a
complete investigation you would need to
work with other
people suitably skilled people to get to
the end conclusion if you've got a broad
range of skills though
sure you could work for yourself or you
could get a
job as a consulting forensic
investigator
from a corporate sense you might get a
job within
a hr department or a security team and
become
a forensic investor that way the other
01:05:16
way you can think of it too is that you
could quite
easily be a member of a technical
security team
and be responsible in an incident for
providing an investigation of that
incident
and coming back with some evidence
around what happened and who's at fault
and then to determine whether it is
something for a disciplinary committee
or a criminal proceeding
so you don't always have to be if you
like
you know we talk about in this
01:05:48
particular
tonight and we talk about it in the
subject about being responsible for
doing the investigation presenting the
evidence chain of custody rules the best
evidence presenting the report
being the expert witness you don't have
to start at that
so you can start doing you know sitting
on a rt security team or a network team
an incident happens they might say hey
matt can you
have a look at the routers and switches
find out what you know find out what's
going on keep some evidence you know
and you follow the same process and you
01:06:20
come back with some information which
helps to confirm or deny that
something's going on and gives you some
idea of what's happening
so that's really forensic investigation
is just
troubleshooting on steroids so it's
troubleshooting and documentation
to the nth degree so it answers the
question
yes there are opportunities um
probably not straight you know entry
level there's not as many entry-level
opportunities around as what they are
for uh the more experienced people but
01:06:52
it's definitely a valid and very
fulfilling career path if you wanted to
want to take it on did that answer that
i i sure hope so it did for me um
and and as we so often say matt you know
in any of these sort of roles and you
sort of talk about what roles are
available and what range
uh is available within the role you know
so much of it is about
transitioning from one emphasis to
another and it'll take a couple of years
you know like
a lot of the a lot of the skills you
01:07:23
were talking about matt
you know what you need to be a
successful digital forensic practitioner
the first point was very tech heavy but
then the rest were sort of
what you know frequently called soft
skills professional conduct common sense
yeah yeah critical thinking ability to
think outside the box and attention to
detail
and then and persistence and i guess the
thing is too
particularly from a legal perspective
that that's what makes it possible to be
you know a police officer from no
i.t background uh three or four years in
01:07:55
the falls for example and you show those
soft skills and they go hey
you're perfect for the job we can give
you the technical skills
as i often say you know you can teach
people technical skills
but you can't teach people attitude
if you've got a crappy attitude or a
crappy outlook on something
that you know quite often that can't
change but if you've got a good
attitude and a good aptitude for digital
forensics that'll shine out
in what you're doing you can learn the
other technical skills none of these
01:08:26
tools that we've talked about none of
these skills that i've talked about
are things that are beyond the realm of
mere mortals
it's all possible you just have to have
that
attribute of persistence and if you're
low on i.t expertise um csu does a
course that it masters has very little
to do with
and then chucked a link to to that
course in the chat so if you scroll up
you can find that and go and have a look
and it's a good sort of bridging sort of
course it's a bit yeah particularly if
you're interested in the in the public
01:08:56
investigations
you can sort of do the policing side of
things and then learn the tech stuff
or of course you know if it's suitable
for you can go the other way around
oh there are there were a lot of
questions when you were talking about
hashing
about hashing uh my first one is what's
a hashing uh because
for those of you that aren't aware i'm
not very tech savvy but there's a few
questions
um which hashing standard do you use
um do you uh is it
can you give us an example of documents
with different hashing
01:09:27
uh and then there was one little brief
snippet in the chat that i saw about
hash collisions so i just wondering if
you could talk about them um
whoever was talking about it was saying
hash collision in theory versus the
likelihood of actually seeing it in
practice
yep yep good question so um
i guess the simplest way to answer that
is to say that
a hash is a mathematical
algorithm that's all it's a mathematical
equation that's literally what it is
and what you do is you take that that
01:09:58
mathematical algorithm
is built into a little program so it
might be just a
um a command line program or it could be
a
you know windows based code from command
line
command a program i'll get it in a
minute so it can be a windows app or it
can be a command line tool why don't i
just say that
anyway so it's a mathematical algorithm
built within a tool
and what you do is you take a document
or a file and you
01:10:29
pass that file you give that file to
that application or command line
and that command line analyzes it
and it passes it through passes all the
bits and bytes of that particular file
through the
mathematical algorithm and it spits out
a result
okay and it's just it's called a hash
value
and it's literally just a string of hex
digits so
hex digits are 0 to 9 a to f
so it spits out a value of hex digits
01:11:00
how big that hash value
is is determined by the hashing
algorithm that you use
so there's a number of them the two ones
that most people are probably familiar
with
are md5 and
sha256 okay so they're hashing
algorithms so then
once you have that value once it spits
out that hash for you that hash value
you now have a value that is
that represents that particular file as
01:11:31
that file is exactly
now if you were to go and change that
file
somehow so as i said before in the
example
you've got a letter that you've written
to your grandmother in a word document
you save it you run it through the
hashing algorithm the hashing tool and
it spits out
a hash value you then think oh i forgot
to say something to grandma and you open
up the document again and you add in
another sentence
and you save it again if you were to run
that document through the hashing
01:12:02
algorithm again the hashing tool again
it would spit out a completely different
hash value
okay they would not be the same because
the document has changed
so that what that hashing value provides
you with
is proof that a document has either
changed
or that a document has not changed so it
proves the integrity of that document
and the way we use that in communication
and security
is to say oh actually i'll use the
01:12:33
digital forensics example of course why
wouldn't i i'm in a digital forensics
course
so if i had a hard drive for example
that i wanted to
investigate for evidence i would take my
hashing algorithm
without going through all the steps that
you need to do but you take the hashing
algorithm the hashing program
and you'd run it on the whole disk
itself okay on the image of the disk and
it would spit out a value
okay say abcd that's the value it spits
out
01:13:04
we then take our copying tool and we
make a direct copy
of that hard drive because as i said we
don't want to work on the hard drive
because if we do
we run the potential of introducing
errors into that hard drive and
therefore changing the potential
evidences there
so from a legal perspective we don't
want to do that so we make a copy of
that hard drive and we come up with an
image
okay a copy of that hard drive but it's
an email it's just called an image file
we then take that same hashing tool
01:13:35
and we run the image through it so what
we're looking for
is for the hashing tool to spit out the
same
value for the image as it does for the
hard drive
because if it does so it spits out a b c
d
then we know that the image we got is an
exact
replica of the hard drive nothing's
changed we know that because
mathematically
that's what the hashing algorithm does
so
we know now that the image we have is an
exact copy
01:14:06
of the original evidence original hard
drive now we can go
and do our investigations on that
however
if in the process of making that copy of
the hard drive to the image
we mess something up there's a mistake
made or something doesn't copy properly
then the image won't be the same and
when we run it through the hashing
algorithm instead of spitting out
abcd it might spread out dcba
so it gives us a different value and we
look at it we go okay
there's something wrong here they're not
the same anymore
01:14:37
so we've got to go back and repeat the
process
similarly it then allows us to go to
court and say
here are our hash values when we made
the copy of the original evidence
the original evidence house value is ah
the copy was a b c d therefore we can
prove mathematically that we have
exactly the same evidence in the two
spots
so we can go and do our investigations
and have no fear that anything was wrong
okay so hopefully that answers that
question about what a hash is
01:15:08
and why we use it now in terms of the
hash collisions that someone mentioned
so a hash collision occurs when
the output from a hash so we take a file
we take two different files we run them
through the same hashing
algorithm now because they're different
files they should spit out different
values
but a hash collision occurs when they
don't they spit out the same value
now the likelihood of this happening
this this
is possible to happen simply because
01:15:39
mathematical algorithms because they're
written by humans
are not truly random okay so there is a
limit
to how many values depending on the bit
size that you use like
256-bit algorithm compared to a 56-bit
algorithm or 512-bit algorithm
will spit out a larger value so there is
a possibility that you might have two
files that are completely different
that will come to the same output okay
and that's called a hash collision
01:16:11
now the likelihood of that happening is
not very high infinitesimally small
doesn't mean it's impossible
but it's exceptionally unlikely and look
to be honest i
off the top my head i couldn't give you
a um
an estimation of what that would be but
it's an
it's infinitesimal very very
almost almost impossible so what do they
say it's computationally infeasible
which means that the time it would take
for you to generate a collision
01:16:42
is so great that by the time you
generated it
it wouldn't matter anyway that's
basically what we're saying so it's
computationally infeasible not
impossible
but extremely unlikely
one of the downsides of being the emcee
for these short courses is actually not
being able to properly listen to the
answers
as i'm triaging the rest of the
questions i'm sure that was very
interesting
um i'm sorry mathematical so now it
wasn't
no i'm going to go on this no no no it's
i know about
you forget i've got a graduate diploma
01:17:16
in psychology so i understand
the cognitive dissonance you have
between the two tasks ah
i just can't focus on the answer while
i'm reading other people's questions
well i can't that's why i close the
questions as well otherwise i'd get off
track too
excellent um uh just a mere calper
in the middle of that folks uh aaron has
asked um about the responsibilities of a
first responder
um one of the one of the roles in the
earlier slides
um would first responders also undertake
mitigating actions disconnecting from
the network for example to minimize
01:17:46
criminal activity
or is that the different role in that
sort of uh
triad of yeah yeah that's an excellent
question
and that is going to be a little bit
dependent on their level of knowledge so
you will have some
first responders so if they're a
specifically
they're typically a digital
investigation forensic
specialist or someone who's at least
past
these skills so if we look at the
example of the police force if you're a
forensic investigator but you're not
01:18:17
heavily experienced but you've got some
experience you may actually do things
like that so you may see
get to a scene a crime scene and see a
whole leap of messages scrolling up on
the screen you think my god it's
deleting everything on the hard drive
what do i do
pull the power absolutely you could do
that because you're then preserving
evidence
um if you were just you know
a complete uh newbie
or knew nothing about so you're a police
officer that knew nothing about
digital systems at all then that's
01:18:47
probably not something you would
feel comfortable doing you might be able
to you you you know you'd still
potentially need to do it
if that if that action was happening
like there was stuff being deleted
but you might not feel comfortable doing
it so it's going to come down to
the relative experience and skill set of
whoever is first on the scene
beauty thank you um i've asked hannah to
stop
um taking your questions just because we
could go all night and we likely will
anyway but
um so if we don't get to your question
01:19:18
that'll be it
um there was a really interesting
question from ishmael
does digital forensics include
maintaining deploying coding software
to conduct forensics investigations
is automation of these tasks
prevalent possible
um yes
sort of and yes so
the first part is really more about
development so that is
something that you would probably do in
01:19:51
a different context so you may not do
that as a digital forensic investigator
but you would do that as a
developer of software for that
although it is possible that you may be
one in the same if you work for yourself
you might
decide to write your own bespoke tool
for sure
in terms of automation of the tasks now
there are a number of tools that you
could use that will heavily automate
tasks
for you
the only thing i'd be careful of with
that if you're getting something like a
commercial package like
01:20:24
in case for example it will there are a
number of things that will automate so
you basically point and click and away
it goes in
some parts of the investigation so it
automates a lot of things for you
but it's very very very strictly
controlled
the issue i would have is if you just
took
some tools of your own and you decide to
automate do some scripts
that's fine but uh again if you're using
an illegal sense you'd have to be a
billion percent even though that doesn't
01:20:56
exist you'd have to be a billion percent
sure
that your scripts were 100 that were
spot on
but absolutely perfect otherwise you run
the risk of
errors being introduced the advantage of
being able to run a tool see the output
run another tool see the output run the
you know the first tool again see the
output is that at each step on the way
you can there's a certain result that
you'll be expecting
and you can see whether that expectation
is met and if it's not
01:21:27
you can then delve a little deeper or
what happened there did i make a mistake
has something gone wrong have i
destroyed something
and if you have then you can go back to
another copy of the evidence and start
again
if however that's all script and that's
all automated and you start introducing
errors
and you're not noticing them it can send
it in a rabbit hole that you may never
recover from
so so the answer is yes you can
automate a lot of these things it is
possible but i would probably advise
against
it unless you are exceptionally
01:21:59
experienced and you are exceptionally
sure that
what you are automating is is a simple
task that is going to provide
a known output if that makes sense so be
careful with it
thank you uh combining couple questions
um
how are we adapting to emerging
technology um
k james is asking about difficult to
trace tools such as tails os
alfred's interested in um the
advancements in internet of things and
internet of everything
01:22:29
um i guess is the his policy and
uh i guess legal uh and our policy and
legal frameworks keeping up
um what are some of the challenges
around that um
so the answer that question is poorly
uh in document um and that's hardly
surprising really i mean security
in all facets has always been largely a
reactive
uh type industry let's face it um while
there are lots of standards and best
practices and rules of thumb and blah
01:23:01
blah blah
that we can do in in security protect
ourselves against
a whole myriad of different things and a
whole heap of basic principles
there is always going to be that
zero-day effect
there's always going to be someone who
knows more there's always going to be a
vulnerability that we forgot about
there's always going to be a patch that
we install that creates a vulnerability
that we don't know about
so all those things are always going to
exist and from a digital forensic
perspective particularly around
legislation policy and procedure i mean
01:23:31
man oh man
you know the red tape around that
getting changes to those and keeping
pace with
um the huge pace that technology has
is i mean look it's more or less um
impossible and that's why
sometimes you will see legislation
around digital forensics being very
broad
and seemingly vague but that's because
there's so many things that could
potentially change
uh so many different platforms so many
different directions which you could go
that you can't
01:24:00
specify every single specific thing
uh in a timely fashion and get it
through the
4 000 billion different red stamps it's
got to get rubber stamps has got to get
through to become legislation
so from that point of view um
you know we've got there's legislation
there's policies and procedures in all
organizations that are in place
that are helpful but are they keeping
pace
with what is potentially out there no
absolutely not
i think for the the majority of
01:24:35
companies
um you know there are certain companies
that will be attacked
certain ways and they will always be
attacked certain ways
and there will always be certain crimes
uh
and um infractions of policies that
exist around a certain organization so
if you like they've got a baseline
of infractions and a baseline of crime
that surrounds that particular
organization or enterprise or industry
and so if the legislation and policies
and procedures
01:25:05
take all that into consideration then
would potentially be
suff or within our own little world for
a period of time
but if we're talking about industries or
organizations that are getting
you know zero day attacks all the time
or you know
different sorts of uh crimes are
perpetuated using their systems or their
technologies
and it can be really difficult to keep
pace with that
the other thing we sort of alluded to
throughout the session was
we're talking about guess we can talk
01:25:36
about digital crimes
so specifically traditional digital
crimes like you know the email blackmail
and um the embezzlement and intellectual
property theft and those sorts of things
and that's great
but if we think about crimes like murder
or
assault or car theft or you know robbing
a bank or those sorts of things that can
also be assisted through the use of
technology
then they are a lot more static they are
a lot more static and so
legislation that surrounds the
investigation of those type of crimes
01:26:08
which are
assisted rather than facilitated by
digital assets that that's a different
question then i think
in those terms we're probably doing okay
but from a strictly digital perspective
where
there's always going to be those issues
in making sure that we've got
the mechanisms in place to respond to
digital crimes when they occur that's
that's always going to be a really big
challenge
and of course you know then the
evolution of
security tools and security best
01:26:39
practices around digital forensics
are always you know slightly lagging
behind
the the infiltration of
crimes and and you know the bad things
that are happening so
there's always going to be that balance
there's always probably going to be that
little lag behind
even though you know the gap has closed
significantly over the last
25 30 years so even though
the different attack vectors and
different crimes and the way crimes are
committed using technology is evolving
01:27:10
over time
the gap between that and the
remediations that we put in place and
the ways we can
investigate and find evidence of those
crimes that you know that gap is a lot
closer than what it used to be so
we're not far behind but i think
realistically we're probably always
going to be
behind and that's you know that's
non-withstanding
talking about organizations which are
far beyond the scope of this
uh online course and my areas of
expertise but
you know places like the doj
01:27:43
and cia and you know those mythical
organizations that we see in all the
movies you know what they've got
and what they can do is far beyond what
i understand
um but then there's also obviously
hacker groups and criminal groups that
have a similar limit of knowledge so you
know there's always going to be that
trade-off i think
and then we're back to questions of
ethics oh
um paul that will probably answer your
question um if an investigator cannot
resolve the issue probably because we're
behind in some
01:28:16
uh some guys um what about the money
paid by the customer
no doubt it's either a sunk cost or um
or you might be able to have
you know well there'll be you know
there'll be certain things written into
when you enter into an agreement like
that you
enter into a contract that will have
certain stipulations so
um it may be that the investigator will
say uh
you know it might be we don't find
anything or we can't do it you don't pay
top things simple symbol that or it
might be
you know depending on what we find you
might pay this amount or you know
there'll be some sort of contractual
01:28:47
agreement the tv lawyer adds no win no
fee
yeah yeah it's very exciting do you have
any any
interesting or hilarious or terrifying
or sad case studies about
digital forensics or any famous forensic
blunders that you could share
probably not off the top my head
actually supposed to be pretty well
hidden
um well yeah forensic blunders certainly
are most people don't
um i mean i've certainly i've certainly
got some horror stories
um mainly around and there's lots of
01:29:17
them on actually i can probably
i can we can probably post a couple of
uh videos
up on on the resources page for you guys
but there's some there's some absolute
hilarious ones on youtube
but they're mainly centered around
testimony so people who have done
forensic investigation they're
supposedly the expert witness and
they've gone to testify and just made a
complete hash of what they're talking
about
and one i can remember specifically was
a gentleman talking about
01:29:47
an investigation he did around a murder
crime
where the the time stamps
and the location of the phone proved
that the
the accused was actually with the in the
same area as the murder was committed
and the
exact same spot as a body was found and
all that sort of stuff
but he had to explain in court
what the gps coordinates and the
differences in the timestamps meant and
how they related to the
crime center how they proved they were
01:30:20
there and he just yeah makes a complete
hash of it totally embarrasses himself
in life court
um so that's a that's an interesting
funny one and i really felt you could
see the poor guy he was just
he just shrinks down further and further
in his chair and
the more the prosecutor defense lawyer
asking questions
the further he gets off track and he
ends up just basically
you know crying tears and and calling
for his mum
he was he was that embarrassed so that's
probably the worst one i've seen
but there are certainly you know
01:30:51
examples of
mainly and it's mainly around people who
don't follow process
or don't follow chain of custody they
are typically the two big things that
will
that i've seen anyway in my experience
that have um totally messed up friends
investigation
so someone just you know handing over a
hard drive to someone say oh here stick
this in the evidence locker or whatever
and
they don't make and then suddenly it
gets lost or it ends up in someone's
desk
drawer or it's left on a desk and then
picked up by someone else who formats it
to put their
you know their playstation games on or
01:31:23
something because they don't know what
it is
so there's plenty of things like that
around china custody
and also around
you know people taking the original
evidence and starting investigation on
that and then completely destroying it
and then not having any go back on
lots of different examples of that uh
you know lost
couldn't couldn't even guess how many
times that would have happened
yeah uh as andre
q in the chat has said though at least
he wasn't a cat
01:31:56
for those of you who aren't sure what
that is that's google i'm
i'm not a cat yes um
only a few questions there so thanks for
sticking around folks um
we've covered certifications a little
bit
um chfi from ec cancel is a good
certification
oh wow
how yeah how long is a piece of string
it is good within a context yes
um
i would say it's a good introductory
forensic um
01:32:35
course uh i
guess i'm probably a little and i'll say
this up front i'm a little biased in
that i'm not a huge fan of the ec
council
certifications um i'm also not a huge
fan of the comp tia certifications i'll
let that be known too
that's not to say they are not good
certifications within a context
um and i think i'm probably looking at
it from a buyer's perspective in that
they've come along these certifications
01:33:06
which i consider to be quite entry
level have come along at a time where
i've had
you know 30 plus years in the industry
so i'm looking at it with a different
look
to what i would have 30 years ago had
that been around then
um but but funny should say the chfi
is actually the one that we base the
subject uh 513 on
digital forensic investigations so i
obviously thought enough of it
uh to uh base the subject on it um
so yes i think it's a good entry level
01:33:37
it's a good starting place to go
it's good it's generic it provides you
with
a good process
good procedural ideas rules of thumb
gives you a little bit of access to
tools
they don't talk about tools too much
obviously because
that varies you've got to be careful
with how much you say about tools
particularly
because it's based on the experience of
the person using it
you can make activities fool-proof but
they are not
01:34:11
foolproof to a sufficiently talented
fool i think is a saying that's relevant
there
but it's a it yeah look it's a good
entry-level certification that's
probably what i'd say but if um
it's not something that i would hang my
hat on saying if i get this
certification it'll mean i may
uh i shoo in for a digital forensic job
yep
yeah and that's the thing with you know
not only
sort of this particular certification
but all certifications
all postgraduate qualifications or
undergraduate qualifications
01:34:42
it's about you know finding i guess the
right balance between your objectives
your existing experience um it's it's so
subjective and it so
so much depends on who you know as well
yeah and really like these these are
the sorts of discussions we like to have
you know
when we contact you directly you know
from that poll earlier it's like these
if it's not right to do xyz study
certifications
you know start change careers like we
like to discuss why
and it really depends on what you want
01:35:13
as much as anything
um so there's so many options and we
live in an era of you know i guess
um user pays education and um
certifications as sort of marketing
tools and it's all like a bizarre stupid
crazy world and
uh certainly is really depends what you
want and when you want it and why you
want it and all those sorts of things
um but hey let's have a long-winded chat
because there's nothing better than that
um when it comes to talking about
postgrad education
01:35:42
and nit careers absolutely
last couple of questions i'll combine
scott and steve thank you very much and
thanks everyone for hanging around
they're talking about e-discovery is
e-discovery something to do with digital
forensics
and during e-discovery um they're
talking about evidence gathered
being admissible in court and illegally
obtaining
evidence so let's get back to some
ethics chat there
um is there a bigger problem with
digital forensics than standard
01:36:13
forensics
in in in terms of illegally obtained
evidence
the opportunities for illegally
obtaining evidence in digital forensics
i
think is the scope for it is probably
larger
potentially than standard forensics and
and i
say that with the caveat that i'm not
heavily experienced in standard
forensics
so i'm not exactly i mean but the
potential for
um discovering if you like so finding
things
without the proper authority in a
01:36:46
digital forensic
is the scope would be larger i would
think
so it'd be easier to do you can hide
away
in a closet somewhere
you know alar doj cia
o and i those sort of places
so yeah that's definitely i think that
the scope is probably larger
it's also one of those things it has
that potential to be larger simply
because
you can hide away and be a bit anonymous
01:37:18
and you can grab something and then
send it off to someone and say hey have
a look at this what's going on here
um completely inadmissible in court just
hearsay but
easy to do and easy to do it anonymously
so the scope for it i think is much
larger
in terms of e-directory e-discovery
directory think about novel now
in terms of e-discovery being included
within the
digital forensics umbrella
01:37:50
not something that we would normally
discuss in either of our subjects so
and not something that i would generally
expect to be
[Music]
tightly in a
ethical digital forensics environment
um but having said that
if we're talking about it you know being
a problem then there is a potential for
it
i guess yeah but it's not something we
would normally bracket under the digital
forensic umbrella so that that's a
simple
01:38:20
answer to that one as well beauty thank
you
uh geez very close to 100 questions
tonight
uh so thank you everyone for sending
those in they really do
as you can tell well there was too holy
augment the the discussion you know you
know we've got the hour of lecture and
then the q a session so feel free to
chuck them in
um we always love them and anything that
didn't get answered
um just chuck it in the forum there's 3
000 of you out there
listening along in some form or another
01:38:51
um
just throw the ideas around have some
disagreements respectfully of course and
and just sort of see what you can come
up with the course is as good as you
lot make it really we'll try our best
and if you want anything
you know chuck a request in the forum as
well and we'll see if we can comply
um it's it's really i think
you are the best resource we have in
these short courses
um with the possible exception of matt
constable in
in no no no no definitely you know
we are we are all stronger than we are
01:39:22
together we are stronger than we are
singularly without a doubt
yeah agreed um and none of this would be
possible without hannah so thank you
hannah
thank you hannah thank you everyone for
listening thank you matt i'll leave it
to you to sign off and
um we'll have a chat about next week and
and see you all next week have a great
week well
thank you guy as well um huge thanks to
you you are
the glue that keeps these moocs from
going completely off the rails
although sometimes particularly when you
put those poles up that you do early in
the night
i question that but generally you are
01:39:53
the glue
you are the thing that keeps me on the
rails so thank you very much and thank
you to
everyone listening out there for
attending uh fantastic numbers for this
evening
i hope you found it informative i hope
you got something out of it
and i hope you come back next week
because we're going to be talking about
data
acquisition so the different theories
and some different
topics around acquiring data from our
evidence repositories whatever they are
so
quite interesting next week so um please
uh please turn up and i look forward to
01:40:24
seeing you all back
at the same time but um yeah thank you
for your attendance it's uh much
appreciated to see so many interested
people here
holding on thank you for your questions
as well so yeah thank you for me
and that's that's really it for this
evening
Watch, read, educate! © 2021