Conducting forensic analysis

- [Instructor] In this section of the course we're going to begin analyzing all the data we collected during our evidence collection portion of our digital forensic investigation. Now at this point, we've collected information from our suspect's machine, including a copy of their volatile memory, network statistics, and other relevant information, as well as capturing a hard disk image, and an image of their USB thumb drive, and we've gathered a copy of their registry and logs from the suspect's system too. Now, we've probably collected a lot of data during our collection efforts for this particular forensic case, maybe even several terabytes of it, and now we have to start sorting through all that data, and see if we can piece together exactly what really happened on that particular suspect's system. Now, throughout this section of the course, I'm going to demonstrate some of the basic data analysis techniques that you're going to be able to use to see how different data types, that were collected during our investigation, can be reviewed for potential evidence. Now first, we're going to be conducting some analysis on the contents of the system's volatile memory using a static analysis technique by reading the hexadecimal encoding of the memory captured, as well as using string analysis tools like FLOSS or STRING, and many other techniques to start finding information inside of that volatile memory. Then, we're going to be going and opening up Autopsy, which is an open-source cross-platform gooey-based forensic software tool that we're going to use to analyze different types of information from our captured hard disk and USB thumb drive images. Next, we're going to analyze those disk and drive images using Autopsy to identify hidden and deleted files, by using the Autopsy File Carving and Recovery functions during our initial triage analysis efforts to identify any hidden information or clues as to what it does. After that, we're going to be looking at the Windows Registry of the suspect's system that we have been imaging. The Windows Registry is a form of database that keeps track of a lot of valuable information that we're going to use as a digital forensic investigator. For example, we can look through the registry and find the suspect's internet search history, whether USB drives have been connected to that system, finding the names of previously copied files that were transferred over to those external devices, and so much more. Then we're going to move into our analysis of the suspect's system logs on their Windows workstation. Now, logs are used to document a record of events that have occurred on a given computer, either by a user, or by some process, or software, on that given system. Basically, logs are going to be used to help us identify what actually happened on a given system, and who's responsible for those events happening on that workstation. After that, we're going to discuss how to create your final report as a digital forensic investigator, including documenting your processes, providing a summary of the evidence you detected, as well as stating your expert opinion on what that evidence is saying about the potential crime that you are asked to investigate. After all, if you're working on a criminal or civil court case as a forensic investigator, you might be called upon to go to court and provide your testimony on what you found, how you found it, and what it really means, in your expert opinion, based upon the evidence you collected, and what crime is being charged against that suspect. Then, we're going to cover the other considerations for your investigation that you should be thinking about as a digital forensic investigator. This includes the importance of documenting every step you take when conducting your investigation, understanding how to collect evidence from a cloud service provider like Amazon Web Services, Microsoft Azure, or Google Cloud, as well as the importance of really looking over the warrant before you start collecting any evidence in a potential criminal investigation. Finally, we're going to take a short quiz to see what you learned during this section of the course, and then review each of those quiz questions fully to ensure you can explain why the right answers were right, and the wrong answers were wrong. So, if you're ready, let's jump into our lessons focused on analyzing digital evidence, and documenting your results in this section of the course.