Hello, and welcome back to the computer forensics path, Course 6, recognizing and collecting digital evidence. In this course, we're going to cover preparation and planning, securing and evaluating the scene, documenting the scene, how we're going to collect evidence, how we're going to transport, package, and store evidence. In Course 6, Module 1, we are going to cover the pre-recovery planning phase. Pre-recovering planning is one of the most important parts of the investigation. Because if we don't seize the evidence properly, it will not be admissible in court. Pre-recovery planning is going to include being able to recognize sources of digital evidence, being able to document it, collect it properly, package it properly, be able to transport it in a safe way to preserve the evidence, and store it in an area where it's going to be secure and safe. Our planning phase, which was our first one. The first thing we want to consider is going to be what kind of case are we investigating? What is the alleged violation or crime? Is it a violation of company policy? Is it a crime? We're going to want to think about our case. This is going to lead us to believe what type of evidence we're going to be collecting. If you're looking for a case that's going to involve a lot of communications or a case that's going to involve a lot of mobile devices versus a case where we're going to be looking at servers and raids and all kinds of large configurations of networks. What type of case are we looking at? What type of evidence are we are going to be collecting? What's at the scene? Is this a residence or a business? Are we going into a home or we're going to be looking for maybe a single laptop or are we going to a business work and we're going to be dealing with that network and that server-type environment? What type of Internet these people have, is it going to be secure or unsecure? You want to know that in advance so you would want to do some reconnaissance on the scene. We'll talk more about doing scene reconnaissance before we execute our search warrant. What are the user's skills? Is our user a computer programmer or is our user somebody who can barely turn the computer on? Do we know if Cloud storage is going to be part of our case, is it likely? If you're dealing with a lot of social networking and Cloud storage like Dropbox, if you know you're dealing with Dropbox, Google Drive, OneDrive, is Cloud storage going to be part of our investigation? If so, how are we going to handle that? When we're planning, we have to make considerations. First of all, is how are we going to enter? Is this a business where we're just going to walk in and ask to speak with the manager or is this a home where we're going to have to be knocking on a door and somebody's going to answer it or is this more of a high-risk warrant? We're dealing with a narcotics or a gang-type environment where we're going to need to make a dynamic entry, maybe SWAT makes the entry for us. How are we going to contain the suspects once we're inside? Because the first thing we're going to want to do is get the people away from the computers because we don't want them destroying or altering evidence. How are we going to contain the suspects when we get to the scene? Are we going to have specialized legal issues? If this is a business, we know we're probably not going to be able to shut their computers down so live imaging is going to be concerned. What type of network are we dealing with? Is it a single laptop? A bunch of mobile devices? Is it a server firm? So we need to know what we're walking into. The administrator, if we're dealing with Cloud services or Cloud computing, the administrators may not be on-site. Do they contract out their computer services or is the administrator going to be on-site? That is another thing we want to consider. Planning. If we know in advancement we're going into servers, do we know that they can't be shut down? We need to know what type of operating system possible, are they using a standard operating system or is this a proprietary operating system? Are they on or off scene? Because again, we could be dealing with Cloud computers where a lot of companies now are going to AWS or other types of Cloud computing. Where are our servers actually going to be? What type of databases are we going to be dealing with? Are they standard databases? Are they going to be a proprietary database? These are all things that we want to know if possible before we plan out our search warrant. Operations plan. When you show up, you just can't have everybody go running in and start moving everything around. There's a certain way we have to do things so your best bet is to assign personnel in advance. You're going to have a supervisor, no matter where you work, you always have one of those. You're going to have people assigned to do interviews and search. You're going to have people assign to just evidence. They're going to document log all those evidence as it comes in and do the evidence intake, very important. You're going to have certain people that are going to be assigned to preview this evidence and we're going to talk about previewing as we go through this path. You're going to have somebody whose responsibility it is to take photographs of the scene and photographs of the evidence as they're found. All these assignments should be done at advance, everybody should know their role before they walk into that residence or business when we are doing one of these search warrants. Search warrants surveillance, extremely important. Know the place you will researching, you want to know the physical layout as well as what we're going to be walking into digitally. Is that residents or is it a business? Do we want people present? What is the layout of this residents or business? Who lives there? Who receives mail there? Who resides there? All these things are very important before you execute a search warrant. What kind of equipment are we going to need? Well, that's going to depend on what we're walking into but you always want to try to come with as much equipment as you possibly can. We're going to need toolkit, we'll need bags, markers, evidence tape, camera, large envelopes, small envelopes too, anti-static bags, Faraday bags, bags that will block signals, scissors, evidence log, all these things are going to be necessary. This is more equipment we're going to need to consider having, we going to need pens, you're going to need gloves because the areas you're going to be searching can be contaminated. You will need some type of hand sanitizer, we're going to need labels, we're going to need sterilized target media to copy our data onto, especially if we're doing live acquisitions and we're going to talk about this in-depth throughout the path. You're going to need some type of laptop to run your software from, you're going to need forensic software, we're going to need write blockers, we're going to need cables and connectors because we don't know what we need to connect to at this point. Then you're going to need some type of portable batteries to prevent electronic items from having some type of data loss and again, we're going to cover more on this throughout this path. On-site preview. The reasoning for doing an on-site preview is just going to reduce the amount of items we need to collect. It's going to stop us from collecting unnecessary items, which the days of walking, take everything, leave and try to examine it over. Most home computers now have terabytes size hard drives at the least and we do not have the time to examine every item that can be seized in even just the average home, it's just not practical. You want to reduce the amount of items you collect, you don't want to collect unnecessary items and that's one of the reasons you do an on-site preview. Another reason would be to locate relevant evidence. We want to eliminate evidence that is irrelevant, we want to be able to focus in on relevant evidence, an on-site preview will help us do that. Another reason would be it would limit the interruption of a business. If you're doing a live on-site preview, you can limit your impact on that business and that's going to be very important down the line. In our next module, we're going to discuss documenting the scene.
