1
00:00:02,120 --> 00:00:05,600
Let's now explore another I.T. field known as computer forensics

2
00:00:08,420 --> 00:00:12,830
the role of computer forensics is to secure and analyze evidence of computer crimes.

3
00:00:15,420 --> 00:00:17,390
What could constitute a piece of evidence

4
00:00:20,620 --> 00:00:23,670
if you suspect an attack has been launched on your system.

5
00:00:23,860 --> 00:00:30,700
You need to document the current configuration of a targeted computer any sophisticated tools or redundant

6
00:00:32,410 --> 00:00:39,070
it's enough to deploy a script written in the language of your choice power shell command line et cetera.

7
00:00:39,550 --> 00:00:46,010
The script collects data on current configuration launched processes listening ports for your computer

8
00:00:46,490 --> 00:00:48,740
network activity and so on.

9
00:00:51,860 --> 00:00:58,450
Network traffic log has great value as evidence of computer crimes investigation even the local attacks

10
00:00:58,450 --> 00:01:01,430
usually are dependent on a network activity of some kind.

11
00:01:03,380 --> 00:01:11,230
Did it transmitting a launched program communicates with the control center or is updating examining

12
00:01:11,230 --> 00:01:17,290
network traffic is simple and effective method for documenting attacks will show how to do this using

13
00:01:17,290 --> 00:01:19,260
wireshark sniffer.

14
00:01:19,490 --> 00:01:24,470
The gather data will only be legally effective if a court is convinced of its authenticity.

15
00:01:26,620 --> 00:01:30,880
It's not enough to collect some data and testify that has been sent out of your computer.

16
00:01:32,610 --> 00:01:37,020
We need to be able to prove in some way that the log is really the network communications log of your

17
00:01:37,020 --> 00:01:37,820
computer.

18
00:01:39,150 --> 00:01:49,360
A good solution is to assign the gathered communications files learn how to do that in a minute.

19
00:01:49,370 --> 00:01:54,370
Another good practice is creating a low level disk image.

20
00:01:54,590 --> 00:02:00,890
A lot of professional forensics tools set out by performing this action to programs duplicate the whole

21
00:02:00,890 --> 00:02:05,100
logical disk inside the created file.

22
00:02:05,240 --> 00:02:09,710
From that moment on we can access data and meta data in different ways.

23
00:02:13,350 --> 00:02:17,550
Before you report on a cybercrime you need to first secure your evidence

24
00:02:20,960 --> 00:02:23,550
then the collected evidence has to be examined.

25
00:02:26,510 --> 00:02:34,330
This is in practice delegated to professional entities specializing in computer forensics analysis the

26
00:02:34,570 --> 00:02:41,810
erosive views or an administrator are usually limited to securing the gathered evidence.

27
00:02:41,840 --> 00:02:46,840
The role of a person who analyzes the collected data is to document an attack for legal use

28
00:02:52,150 --> 00:02:59,080
Let's discover how to verify the authenticity of files through their signatures the internet is full

29
00:02:59,080 --> 00:03:08,890
of specialist programs that calculate file checksums such as for example exact file.

30
00:03:09,030 --> 00:03:13,710
One of the strengths of this application is that it's capable of calculating a check sum for the entire

31
00:03:13,710 --> 00:03:16,140
directory.

32
00:03:16,150 --> 00:03:23,740
You only need to specify the location of files whose authenticity you're trying to maintain next.

33
00:03:23,770 --> 00:03:25,170
Select checksum format

34
00:03:27,830 --> 00:03:33,380
are usually signed using one of the versions of the M.D 5 and SH algorithms in the Internet

35
00:03:36,490 --> 00:03:45,790
will select S.A.G. one next which is the option that generates file signatures create digest in this

36
00:03:45,790 --> 00:03:50,850
way a signature for all the files that are contained in a specific directory will be created.

37
00:03:52,660 --> 00:03:57,560
The picture below shows checksums for all the files.

38
00:03:57,580 --> 00:04:02,240
This is a great utility for documenting system legacy.

39
00:04:02,270 --> 00:04:08,450
It is better applied to documents than to system files as the latter are often modified on a regular

40
00:04:08,450 --> 00:04:09,240
basis.

41
00:04:12,020 --> 00:04:17,630
Once you've generated a checksum for the files and a modification is understood as an attack this would

42
00:04:17,630 --> 00:04:19,750
end in a flood of false positives.

43
00:04:22,970 --> 00:04:26,450
There has to be another solution for system files.

44
00:04:26,450 --> 00:04:31,000
Checksums are effective for ordinary files.

45
00:04:31,030 --> 00:04:36,710
The best solution would be to verify a checksum for all read files to come from unknown trusted source

46
00:04:39,410 --> 00:04:45,500
a trusted website should also be considered an untrusted source files downloaded from these sites should

47
00:04:45,500 --> 00:04:48,630
be treated as an untrusted source for binary files.

48
00:04:51,520 --> 00:04:57,830
As far as system files are concerned it's good to use the sig check program.

49
00:04:57,850 --> 00:05:03,430
This is a tool that is a component of the system internals package.

50
00:05:03,560 --> 00:05:10,330
It's lunch from the command line run as administrator the tool was developed by Mark Rowsthorn of which

51
00:05:12,940 --> 00:05:20,130
sync check allows us to verify digital signatures for all the files in a selected location.

52
00:05:20,160 --> 00:05:23,220
It covers either all the files or only the Bioneers

53
00:05:30,500 --> 00:05:35,990
system directory should not contain any unsigned files or files that are signed in an incorrect way

54
00:05:36,410 --> 00:05:39,960
or they used an invalid certificate for generating their signatures.

55
00:05:41,110 --> 00:05:54,680
All checksums have to match.

56
00:05:54,770 --> 00:05:57,400
Let's run a quick test for the system directory.

57
00:05:58,880 --> 00:06:02,220
To scan only the binary is select the option

58
00:06:04,950 --> 00:06:07,670
will also check the signers of the files.

59
00:06:07,700 --> 00:06:08,750
The I option

60
00:06:20,220 --> 00:06:29,440
the test results show an example of a correctly sized file.

61
00:06:29,540 --> 00:06:34,940
You can view the issuer of the certificate used to sign the file and see if the certificate is trusted.

62
00:06:39,130 --> 00:06:42,270
I will add the option to the submitted expression

63
00:06:52,010 --> 00:06:54,610
this command should not return any results.

64
00:06:55,550 --> 00:06:59,470
As you can see all files are signed in all signatures are correct.

65
00:07:01,720 --> 00:07:06,580
Using this tool you can check the authenticity of key system files on a regular basis.