WEBVTT 0:00:09.680000 --> 0:00:14.580000 So let's get started on some definitions and histories. 0:00:14.580000 --> 0:00:22.660000 Okay so one of our most main concerns in digital forensics is where is 0:00:22.660000 --> 0:00:25.720000 the evidence on the device stored? 0:00:25.720000 --> 0:00:27.800000 The answer is surely going to be a disk. 0:00:27.800000 --> 0:00:32.600000 Right? And when we say disk, we're making a reference to our classic hard 0:00:32.600000 --> 0:00:38.380000 drives. But what we're really talking about is data that does not disappear 0:00:38.380000 --> 0:00:41.420000 when we power off the system. 0:00:41.420000 --> 0:00:47.260000 And what this moves into is what we're going to call the order of volatility. 0:00:47.260000 --> 0:00:52.120000 So many, if not most of the cases, will involve data that is stored on 0:00:52.120000 --> 0:00:56.780000 a persistent mechanism such as a hard drive or a solid state drive, flash 0:00:56.780000 --> 0:00:58.940000 storage or disk media. 0:00:58.940000 --> 0:01:02.440000 And there's a bunch of other types of data storage out there from logs 0:01:02.440000 --> 0:01:04.600000 to RAMs to system cache. 0:01:04.600000 --> 0:01:08.040000 But those are up a little bit higher on the order of volatility and we're 0:01:08.040000 --> 0:01:12.620000 going to cover those in other parts of our digital forensics series. 0:01:12.620000 --> 0:01:18.420000 So let's talk a little bit about the lingo for this digital forensics 0:01:18.420000 --> 0:01:19.720000 and persistent storage. 0:01:19.720000 --> 0:01:25.840000 For our purposes, data is going to refer to the raw digital forms of the 0:01:25.840000 --> 0:01:28.480000 evidence, essentially the bits and bytes. 0:01:28.480000 --> 0:01:32.900000 And then information is going to be the insights and hypothesis that we 0:01:32.900000 --> 0:01:35.940000 as analysts can interpret from that data. 0:01:35.940000 --> 0:01:40.560000 That information may be the result of aggregating or correlating data. 0:01:40.560000 --> 0:01:45.180000 It's really up to the investigator to determine what layer they're working 0:01:45.180000 --> 0:01:48.880000 on. And in this layer, we're really in this course, we're really working 0:01:48.880000 --> 0:01:52.020000 at the file and disk level. 0:01:52.020000 --> 0:01:55.820000 So we're not really getting quite quite to operating system artifacts 0:01:55.820000 --> 0:02:04.860000 yet. And the types of data can be categorized into four basic layers. 0:02:04.860000 --> 0:02:10.700000 And that's going to be physical volume, file system and an operating system 0:02:10.700000 --> 0:02:11.580000 and application. 0:02:11.580000 --> 0:02:16.720000 In this course, we're going to be covering the top three and we're going 0:02:16.720000 --> 0:02:20.080000 to talk about OS and applications and other courses. 0:02:20.080000 --> 0:02:27.280000 When we look at the layers of analysis, we're really thinking about once 0:02:27.280000 --> 0:02:32.040000 the data is taken from its physical format, it's going to be stored. 0:02:32.040000 --> 0:02:36.040000 And then it's going to be processed by forensic software and interpreted 0:02:36.040000 --> 0:02:38.420000 into a human readable format. 0:02:38.420000 --> 0:02:42.400000 And then that makes it information. 0:02:42.400000 --> 0:02:45.680000 So the example that we're going to be neat is that this we're talking 0:02:45.680000 --> 0:02:47.320000 about just a file here. 0:02:47.320000 --> 0:02:51.540000 And this file is just could just be a representation of a few bytes on 0:02:51.540000 --> 0:02:56.120000 the disk. The bytes are going to be represented in a binary form, often 0:02:56.120000 --> 0:02:59.460000 represented to us in hexadecimal. 0:02:59.460000 --> 0:03:04.920000 And then let's look at how this data can be interpreted from its raw form 0:03:04.920000 --> 0:03:07.700000 to a human readable form. 0:03:07.700000 --> 0:03:11.080000 And so if we look right here at the top, we've got, we've got a hard drive 0:03:11.080000 --> 0:03:15.000000 on the left and then you can see kind of what hexadecimal looks like below 0:03:15.000000 --> 0:03:19.080000 it. And then we're going to move it to a processing stage. 0:03:19.080000 --> 0:03:23.260000 And that's going to be after we forensically acquire the data. 0:03:23.260000 --> 0:03:27.480000 And then we send it into digital forensic software to process it. 0:03:27.480000 --> 0:03:30.480000 And then what that is going to do is it's going to output that information 0:03:30.480000 --> 0:03:35.700000 and that information could quite simply be a notepad file that says hello 0:03:35.700000 --> 0:03:42.480000 world on it. We're going to talk about the layers of our analysis. 0:03:42.480000 --> 0:03:46.880000 We're talking about the physical media of volume and a file system. 0:03:46.880000 --> 0:03:50.220000 And again, we're not right there yet with application in OS. 0:03:50.220000 --> 0:03:52.780000 But let's look at where it all of this lays. 0:03:52.780000 --> 0:04:00.380000 As you can see, file system, volume analysis, and then the physical storage 0:04:00.380000 --> 0:04:05.240000 media analysis is going to be the bottom layers. 0:04:05.240000 --> 0:04:09.740000 And we're going to talk about how they store data, what their data structures 0:04:09.740000 --> 0:04:11.820000 are, and then how do we analyze it? 0:04:11.820000 --> 0:04:16.880000 And what I really want to kind of drive this home with is a picture of 0:04:16.880000 --> 0:04:22.280000 an iceberg. So what you're seeing in this picture of an iceberg is really 0:04:22.280000 --> 0:04:29.000000 just what's presented to you as an application or even an operating system. 0:04:29.000000 --> 0:04:34.620000 But you have to think about those three orange layers that form the bottom 0:04:34.620000 --> 0:04:39.260000 of the iceberg that isn't ever really visible for you to see.