Hashing, I won't suggest to discuss, we are going to work in a way that I described to you. Hashing Algorithms, take a file or disk image as input, use mathematical computations to produce a unique value of a fixed length which is referred to as a message digest. The formula, on the right hand side that I put together for you just as an easy way to remember, it is what I just described happens, variable sized data plus hashing algorithm equals fixed bit size output that fix bit size output, referred to as a message digest. We typically use either MD5 or SHA1. In order to be able to do this, the fixed bit size output or message digest size for MD5 will always be 128 bits, the message digest size for SHA1, will always be 160 bits. Please make sure you remember that and know that, that would be important at some point in the future for you to be aware of. Documentation is very important, we've talked a lot about documentation in various areas, talked about the value of it, how to ultimately gather it, how to make sure we know how to communicate broadly and it's available, how to use it, how to consume and how to manage it. So, things like what is the evidence? How is the evidence obtained? When was the evidence obtained? Who obtained it? How was it handled, when, where was it accessed, under what circumstances? All those things are going to be important to document. Again, we go back to the idea of the five Ws and the H, the who, what, when, where, why and how. If we are asking these questions and answering them appropriately within the context of the situation, we'll have all the evidence we need to document all the things that is going on, and we'll be able to respond accordingly if ever asked. We have five rules of evidence, we often refer to them this way, and this is part of the overall thought processes I shared with you about handling evidence properly, observing all the rules of making sure we document correctly, and we understand how to present evidence that could be used if necessary in a court of law based on how we've gathered, handled it and analyzed it over time. You should know the five rules of evidence, very important for you to be aware of them. Be authentic, be accurate, be complete, be convincing and be admissible. These are the five tenets or five rules of evidence. Evidence must be authentic, evidence must be gathered and presented accurately, must be as complete as possible, must be convincing, must be admissible in a court of law. If you nail these five rules you will be able to present the evidence at trial and use it to either prove the innocence or guilt of the person or their issue that is in question. If you don't nail these five rules, we're going to have some issues and concerns, the evidence may not see the light of day. So make sure you understand what the five rules of evidence are. So we talked about analysis already, we've talked about hashing to ensure integrity, talked about chain of custody. As we talk about forensic investigations, it's important to do all the legwork and the set up work in the planning to make sure that when we gather the data, get it stored and then get it to the point where we can start looking at it, we've done so in a way that will allow us to analyze the data securely, analyze the data in a meaningful way but also ensure the safety, the integrity and the sourcing of the data. So, media analysis involves recovery of information or evidence from that media. We have that original hard drive from the system. We're not going to operate on that original hard drive, we're going to have an image of that hard drive. We're going to operate on the image because if we screw the image up, we can always have another image, if we screw up the original, we got nothing. Right. So, you never want to operate on the original media. You always want to have an exact duplicate copy hashed to represent integrity and then operate on that, very important thought process with regards to media analysis. We have lots of different types of analysis we can engage in, not just in the media side. Media we talk about already but network analysis looking at traffic flows like I showed you how to do with something like packaters or wireshark as you are able to potentially do in our exercise. We have software analysis, we can look at code in other words and look for author identification, the content and context analysis capabilities of code detection tools are very very robust these days. What was the content? That's in their code itself, the code strings. What does the code do? How is it written? That can tell us a lot about who may be behind it. What's the context of the code? What does it mean to do? In what circumstances? So, we can only use this code, if these resources are available. Kind of odd, we should not normally run those three resources, so that may mean that we have a dependency on something else and we can then begin to unravel what that may do. We can also look at hardware and draw embedded device analysis. Hardware analysis, a little bit harder to do typically requires special tools, requires special knowledge. So, if somebody is able to tamper with the hardware of the system inserted, alter chip that has altered BIOS instructions for instance or insert some sort of peripheral that acts as a keystroke logger or things like that, we may or may not be aware of that. If it's in embedded device it has its own embedded iOS or some sort of operating system they may be able to go in and reprogram that operating system, adding code into it to make it do a variety of things. This is much tougher to analyze for and we need skills and special tools to be able to do so and probably a lot of knowledge maybe even help from the vendor to do so. So, hardware and embedded device analysis may not be something that we do normally, we have to get specialists to do that but network analysis for instance, can be done by almost anybody. You saw how easy it is to capture data packets and to sniff them and see what's going on with them. You have to be trained to understand what's there. But the point is you don't need a lot of special skills to actually capture the data, it's not very difficult to do. Also, let's take a look at some questions that help us to wrap up and review in this area as we normally will do, will post several questions for you at the end of a section or at the end of a discussion, ask you to ponder them for a minute or two call off answer them come back, share your answers with me, I'll share the right answers with you. We'll compare our notes, make sure we're good and then we'll wrap up and get ready for our next conversation. So we have two questions on the screen in front of you, I encourage you to take a moment to take a look at them as soon as you're ready, thinking of what the answers are, come on back and we'll take a look. Let's take a look at what those answers are and see if you got them right. Question number one, what is included in a generic forensic guideline? Identifying evidence, collecting or acquiring evidence, examining or analyzing the evidence and presentation of findings, the four phases or steps of the forensic investigation process is what we see there. What does software analysis refer to? So well, the software analysis or what we call forensic analysis of software, refers to the analysis and examination of software of code, of applications, of programs and anything that's running in the operating system that is involving software and the use of software, we can break that software down and somehow analyze it. We may use a decompiler, a tool that will break down the executable package and show us the underlying code. We may use a hex editor being able to break open the code and see what's in there and the strings, there's different ways to do this but we normally have to decompile the compiled code that runs in some sort of packaged executable and then understand what that looks like and that's what we'll do when we do software analysis. Now that we finished our conversations in the forensic investigation area, take a couple of minutes, go back, review your notes, make sure you have all your questions kind of answered in your mind, make sure you're prepared. And since you feel comfortable come on back, and we'll take a look at our next topic of conversation.
