CompTIA Security+ SY0-601 – 4.5 Key aspects of digital forensics

1. Documentation and evidence

In this video I’m going to be talking about evidence and particular things that you should follow when collecting evidence. So first of all, evidence, right, evidence proves either you’re guilty or you’re not. Evidence is used by the prosecution in a court case to prove you’re guilty or evidence is used by the defense to prove you’re not guilty. Maintaining the intent, integrity of evidence is key and that’s what the section is going to be about. Remember, you guys probably heard about in CSI shows or any type of movie, they can’t tamper with the evidence, you tamper with the evidence and the evidence can be thrown out in court.

That’s the single piece of evidence that can prove a guilty person guilty or proven not guilty. Person not guilty. So you want to maintain good evidence. Now let’s take a look at what our exam wants us to know about evidence. By the way, we’re really talking about computer evidence. And computer evidence could be that most people think computer evidence are physical. I’m sorry, logical, like what’s in a log file, whether or not they could include keyboards, they could include physical, the physical desktops themselves, right? So there are a lot of things here that comes into play, camera footages and whatnot. So when gathering the evidence, there’s a couple of things that could be a legal hole.

Sometimes government agencies and law enforcement, they put a legal hole so you can’t move it or change it. Now, video evidence is always great if you have video evidence, but you would have to capture video of it. How admissible is it to court? Now, for something generally for evidence to be admissible, it has to be able to prove a fact, it has to be obtained legally and it has to be related to the case. Those are the three things that evidence has to be. So evidence has to be related to the case somehow, somewhere. It has to be able to prove a particular point and you cannot put evidence into you can’t claim evidence on a case if you have not obtained that evidence legally.

And that’s a key point about managing any type of forensics. If you legally obtain evidence, even if it proves that person guilty, it may not be usable in the court case. So something to consider. Now, one of the hot topics that we need to talk about is the chain of custody. I’m just going to show you what it looks like. I found one here on a government website and this is a sample chain of custody. Now what the chain of custody does is that it’s basically a document that and this is just a sample. There’s so many different ones that are out there you can even create your own ones. These are basically just documents that keeps a track of the audit trail of the evidence.

So take for example, when you gather the evidence, you have to document that. So it keeps the audit trail, basically the who to what, the when, the where to why, how. So who’s gathering the evidence when they gathered it, how they gathered it, where they put it, who they put it with, when they put it, how did it restored, where it was stored, who took it after that, who analyzed it, when they analyzed it, basically how, when they put it back. It’s the auditory it’s the step by step by step procedure of the evidence.

For your exam, the chain of custody is going to be about the chain of custody is going to be about maintaining the integrity of the evidence. All right? So remember that what is a chain of custody. It helps us to maintain the evidence. It shows us that it was obtained legally, that it was analyzed in a correct manner. Because think about it, the defense can come back and say, oh, well, this evidence, this wasn’t analyzed correctly. You’re saying my client is guilty, but the analysis was wrong. So the chain of custody would allow that to show how it was analyzed. So the defense can question it or the prosecution can question it, either one.

But it basically maintains the integrity. It’s the audit trail of the evidence. Now, other things to think about is going to be time sequence of events and basically timestamps of when they broke into a computer, when they took it. They may even be a time offset, in which case the computer clocks or systems may be off a couple of minutes. So you may want to keep that in mind as you analyze your evidence to the time sequence of events. Now, you can get the time sequence of events from the log files. And earlier in the class, I had shown you the autopsy. I also have other types of software, computer forensic software.

The most famous and popular one, such as there is a software that is used by the government calling case in case is a very famous forensic software that’s used by, like the FBI. These types of software. Sodas one of them we looked at called the FTK, the access data forensics toolkit. And the other one autopsy that I had shown you guys on my computer, they create timelines. They’re able to show when the user did this and then they did this, and then they did this, and then you got to think of that offset. In case there’s any type of offset, enough time evidence may be tagged, right? Depending on where you’re storing it, there may be reports. Think of the chain of custody.

Now, event logs is what we’re going to have in Windows. We did a previous video when we talked about different types of log files. Event logs in the computer can help show the actions taken by potential intruders and then interviewing. Now, interviewing may be something done by law enforcement, may not be done by a security computer, security person. But interviewing can gather evidence and people can tell you what they saw people can tell you what they were doing when actions were being taken against your network. All right. Interesting things here when it comes to evidence. Let’s keep going.

• Category: Uncategorized