 Welcome to Certified Digital Forensic Examiner. Today we're going to go over Module 1, Introduction and Course Overview. My name is Johnny Justice. I have a Bachelors Degree in IT Management, a Master's Degree in Computer Science. I'm a Certified EC Council Instructor. I hold CEHECSA, CHFI Certification through EC Council, CompTIA Linux Plus. And I'm also a DOD Certified Computer Crimes Investigator. My current job is Computer Forensics in the US Army, so depending on how the cases are set up, if there's a computer involved, I'm the guy that's looking at it. And interesting fact, I supported an Army mission in Europe and I spent almost 70 days there. So I got to travel between Belgium, Germany, Amsterdam, France. Disclaimers, the view and opinions are the instructors only and then of course any digital forensic legal issues should be discussed with your corporate attorney, the local state's attorney's office or the US and federal attorney's office prior to conducting digital device related seizures and subsequent forensic examinations. With a dramatic increase in computer related crimes, this requires corporate security personnel and law enforcement agents to understand how to legally obtain evidence stored on computers. With electronic records, what we're talking about are network logs, emails, word processing, JPEGs or pictures, they're increasingly providing the government corporations with important and sometimes essential evidence inside of a criminal or civil case. And then of course one of the purposes of the course is to provide the law enforcement agents and corporate security personnel with systematic guidance that can help you understand some of these issues that arise and then of course they seek electronic evidence in criminal and civil investigations. So what we want to do is be able to give you a methodology and a background, but you're actually, you're going to have to create policies and talk to your specific attorneys to make sure that you're doing the right thing. This course assumes that you have come here with the prerequisite skills as an experienced personal computer user. Ideally, the only thing that you should know is how to navigate through the environment, whether it's a window system or a Linux system and be able to find specific evidence as you're looking through things like FTK imager. And we also feel that you've been using personal computers on a daily basis in the conduct of your duties as law enforcement or corporate security investigators. So this shouldn't be the first time that you've seen a computer basically. Never please be advised that this is not a this is not a course in computer forensic software training. However, you are going to interact with computer forensic software, but we are not here to make you subject matter experts in that what this is for is dealing with instruction for digital evidence, digital crime incidents and the forensic methodology. And then although, like I said, we do introduce the basic forensic software programs, the vendors of these programs actually have more extensive training. So we're going to go over access data as FTK, FTK imager and things like that. Well, I would advise that you would go to access data to receive the latest and greatest about their specific software. So notice all the software programs used in this training program are registered and provided for the use of in class exercises only. So do not make copies of these. Do not transfer the software training exercises to any personal this that you have as violations may fall under federal and international copyright laws. Everything's been set up for you to be able to use it within the classroom. You have the accesses to use it in the classroom. So we want to keep it in the classroom. Okay, so let's start off with the introduction to computer forensics. What is computer forensics? It's the gathering and analysis of digital information in an authentic, accurate, complete form for presentation as evidence in a civil proceeding or a court of law. Okay, so the term evidence is a thing or things helpful in forming a conclusion or judgment. The broken window was the was evidence that what that a burglary had taken place or scientists weigh the evidence for and against a hypothesis, right? Something interactive, like an outward sign, evidence of grief on a morning face. The law, right? The documentary or oral statements and the materials, material objects admissible as testimony in a court of law. So ideally what's going to happen is when you conduct your computer forensics, you need to make sure that the information that you're going to provide is going to hold up in a court of law. You know, when we talk about this in layman terms, basically looking at the information on a computer or a digital device to determine what a person is doing in the electronic world, right? I want to find out if you were hacking onto another computer, what did you have set up on your computer to be able to do that? If you're conducting a man-of-the-middle attack, what information did you have on there? Did you have TCB dump? Did you have Wireshark? To where you could actually capture the specific packets going across the wire so if somebody logged into their bank and it wasn't a secure page, you saw they're using a password. So that's what we're talking about when we talk about computer forensics, when we talk about evidence and being able to use that information in a court of law. Now what computer forensics is not, it is not data recovery. Even though you have the ability to recover data, it is not data recovery. Now data recovery is a discipline under digital forensics and you can do that. But we're not here to recover data or to use the tool sets to do that. Something that can be done with, something that can be done with software alone, right? You have to be able to use specific hardware as well. You have to be able to plug the hard drive into your computer, right block it, take this specific image and then store that image onto another piece of media. So during this training, we will generally refer to someone who works and deals with digital evidence and conducts digital investigations as a forensic practitioner, right? And this is something that can be performed by anyone other than a trained and certified computer forensic examiner, right? You need to have that computer forensic investigator, specialist, examiner, forensic investigative analyst, you know, there are so many different terms out there. But if you don't have specific training within that, then what's going to happen is when you go to court, they're going to be like, wait a second. So you conduct a computer forensics, but you have no certifications to back your forensics process. And they're going to try to strike to remove you from the courtroom or to remove you as an expert witness. So you need to make sure that if you're going to conduct a computer forensics that you have the specific training and that you have it all documented. So that way somebody cannot use it against you. Digital evidence can potentially provide our five W's and how, right? So it doesn't happen in 10 minutes. I can tell you it doesn't happen in 10 minutes because I used to take forensic images and the forensic images would take up to 12 to 13 hours. And even once I had the forensic image, even if you didn't count the imaging process, once I started to look at the data, it's not like I opened up the forensic tool and I just clicked the find evidence button and I just had to be able to click the find evidence, copy it all out into my report, and then turn my report in. And it was done in 10 minutes. Now even the report writing takes longer than 10 minutes. So even though you see that stuff changes and happens on TV and they find all this information, they're only showing you that it happens in 10 minutes because it's a TV show and they saw the case in 45 minutes. So now the computer forensic and electronic discovery process includes information developed from documents, communications and email, databases, proprietary applications and data, right? All of these terms are considered digital artifacts. And ideally what we're trying to do is we're trying to find data on the computer system that is going to prove innocence or guilty on a specific case that we are investigating. So if we can identify information on the computer that we basically refer to as digital artifacts, we identify that information and we can prove it in the court of law as to whether why this person did it or why this person is innocent. Now this process includes information developed from activities by a device user such as artifact location, artifact copying, deleting, modified access, creation time analysis. If we're able to prove that the individual was there at the time that it happened, that they had potentially copied whatever information it was or that they had tried to delete whatever information it was. Also artifact modification access creation time analysis. If we can show that it was created at the time the individual was on the computer or that he modified it while he was on the computer, maybe it's some type of a script that has to be run and that he had accessed it while he was on the computer. The greatest thing is in a networked environment, if somebody has to log into a computer system, then you're able to prove that at least that login was there between a specific time. However, you have to prove that the individual was also sitting there because they could easily say, well, no, I mean, I might have lost my password or somebody hacked into my account. So this wasn't me that did it, it was somebody else that did it and they logged in for me. So our course objectives, in this course, you're going to learn the skills necessary to conduct a digital evidence acquisition and analysis. What you're going to be able to do is become aware of the various types of digital incidents, you're going to learn how to respond to those incidents. We're going to be conducting acquisitions and authentication of digital evidence. We're going to use forensic software to conduct a controlled analysis of digital evidence. We're going to record our findings in an examination log and we're going to present those findings. So we'll go over a little bit more of this as we get into detail with some of the other slideshows, some of the other areas within the course. But these are the basis, right? The forensic methodology of how to conduct an investigation is what we want to go into and make sure that you understand. So when you're developing these things or creating these things or making policies that you can say, okay, this is step one. This is step two. This is step three. This is step four. And you'll be able to say, okay, as long as we conduct every single one of these steps, when we go to court, it's going to hold up in court. We're going to be able to provide information and say that this is exactly what we did. This is why we did it. And this is why this proves innocence or this proves that the individual was guilty. Okay, this concludes module one.