1 00:00:01,690 --> 00:00:08,700 To be able to obtain forensics evidence during a cyber breach investigation you should understand how 2 00:00:08,790 --> 00:00:11,670 endpoint file systems work. 3 00:00:11,680 --> 00:00:14,000 So what is a file system. 4 00:00:14,140 --> 00:00:21,550 Think of them as digital filing cabinets when you store data on your computer hard drive or flash drive. 5 00:00:21,550 --> 00:00:29,230 File systems are used to divide it into organized units that can be accessed later on. 6 00:00:29,230 --> 00:00:34,250 This can be accomplished in many ways depending on the type of file system that is used. 7 00:00:35,690 --> 00:00:43,970 Back in the day file allocation table or fat was the default file system used by Microsoft operating 8 00:00:43,970 --> 00:00:51,620 systems that organize data by splitting disks into clusters with a table to reference what was stored 9 00:00:51,620 --> 00:01:02,120 where over time newer versions of führer introduced such as the more recent FAT 32 that 32 overcame 10 00:01:02,120 --> 00:01:09,620 some of the earlier fat version limitations but still lacked inside capacity making it not suitable 11 00:01:09,620 --> 00:01:11,160 for newer systems. 12 00:01:13,330 --> 00:01:22,270 As an alternative to fat Microsoft introduced the new technology file system or NTFS NTFS is more secure 13 00:01:22,270 --> 00:01:29,140 and scalable than fat making it the clear winner and has been used since Windows XP as the Microsoft 14 00:01:29,140 --> 00:01:36,560 OS file system NTFS keeps track of time stamps of any changes to a file system. 15 00:01:36,560 --> 00:01:45,200 Each file has a time stamped for create modify access and entry modified as you would expect. 16 00:01:45,200 --> 00:01:49,630 Time is crucial across all aspects of cybersecurity. 17 00:01:49,760 --> 00:01:55,910 If there is any file activity on a compromised device the time of the activity could be the smoking 18 00:01:55,910 --> 00:01:57,410 gun and a breach. 19 00:01:57,410 --> 00:02:00,560 Investigation. 20 00:02:00,770 --> 00:02:07,130 If you go to computer management any Windows device and then go to storage and disk management you can 21 00:02:07,130 --> 00:02:12,470 see what a file system is used for each type of drive. 22 00:02:13,160 --> 00:02:21,860 As you can see here I have my my main hard drive which is using NTFS as its file system and then I have 23 00:02:21,860 --> 00:02:30,050 an external storage device that uses x fat which is a nother version of the FAT file system. 24 00:02:30,080 --> 00:02:37,430 Next I want to open up a file that has been modified on my system to show you where he can look at time 25 00:02:37,430 --> 00:02:42,420 stamp information for files on a Windows computer. 26 00:02:42,510 --> 00:02:49,050 So I go to my desktop and I have this test text file just by hovering over. 27 00:02:49,050 --> 00:02:55,530 I can see that it was Last-Modified on October 30th that 10:32 p.m.. 28 00:02:55,530 --> 00:03:02,670 So if I was doing an investigation and found new files on the system or wanted to see if critical documents 29 00:03:02,970 --> 00:03:12,370 were accessed or not I could right click on that file go to properties and then I can see the last time 30 00:03:12,370 --> 00:03:17,250 it was created modified and accessed. 31 00:03:17,350 --> 00:03:22,510 So I'm going to open up the file and I'll make a change and we should see update to today's date which 32 00:03:22,510 --> 00:03:25,150 is November 21st 2017. 33 00:03:35,200 --> 00:03:44,120 So modify the file click save X out of there and then let's go back to the properties of that file and 34 00:03:44,130 --> 00:03:46,980 I can see that the modified date has been changed. 35 00:03:47,240 --> 00:03:49,930 So that's just a really basic thing to know. 36 00:03:50,030 --> 00:03:57,350 If you're not that familiar with file systems on Windows computers that can be very helpful for computer 37 00:03:57,350 --> 00:03:58,130 forensics.