Welcome back to the computer forensics path, Course 7, we're going to talk about the triage and preservation of digital evidence. Preservation of digital evidence. How do we preserve the evidence to make little or no changes to the original evidence? We're going to talk about live versus dead box evidence collection. Whether you're going to be doing a large live imaging of a logical product or we're going to do the traditional, remove the hard drive connected to a write blocker and create a forensic image. We're going to define volatile data and talk about how we capture volatile data, and we're also going to talk about forensic boot options. This is when we would do to some type of Lennox Destro CD or maybe a commercial type of USB or CD drive and boot into a forensically sound environment where we're not making changes to the original evidence. In course seven module 1, we're going to talk about the preservation of digital evidence, how we preserve the evidence and what steps we're going to take. Okay, when we talk about preservation of evidence, what we're talking about is we don't want to make any changes to the original evidence and of course we don't want to destroy the original evidence. We need to maintain the integrity of the original evidence from the time we collected to the time it goes through court proceedings. And we do that by working off of duplicates making a forensically sound digital copy, using write blockers booting into some type of forensic media. If we have to do live imaging, there are situations where we're going to have to live imaging, it's going to be expected of us to do live imaging. And yes, we are going to be making changes to the original evidence. What you want to do there is document what you did and why you did it. Document any changes you make to the original evidence. And the key to this is knowing your equipment, your software, your forensic software and your physical equipment and how it works and explain why you made changes, why it was necessary to do what you did? And there's going to be cases where it's absolutely necessary and if you don't, you'd be negligent. If a computer is off, if you're doing a search, can you find a computer that's off? Leave it off, don't just turn it on. You're either going to booted in to some type of forensic boot media. Or if you have a device that off, you're going to remove the hard drive, if possible, connected to a write blocker and create a forensic image. If the devices on here's where things get a little different, first of all photograph all the open windows on the computer. Note any running applications of processes, no any destructive processes. Look for destructive processes, things like wiping DR0. Look for signs of encryption, you're going to see padlocks and things that looks like locks. And we're going to collect RAM and we're going to talk about how we do all this throughout this course. This slide shows an example of just wiping software. We can see the top one it's erasing a file and then the graphic just below that, we can see that it's erasing disc one. So if we see something that looks like this, we know destructive processes running and we're going to have to take action. If you see a destructive process running, immediately pull the plug from the back of the computer. Don't pull the plug from the wall because it could have some type of backup battery, pull the plug from the back of the computer. To look for indication of running destructive processes, look down the bottom at the task bar. Or if the task tray you can see in the graphic, you can see the tray, we see the kill disk. That is the sign for kill disk, that's their logo is running, and we can see on the task bar, kill disk is running. If you see kill this running, you want to pull the plug from the back of the computer. Once we've determined that a destructive processes running, we've checked the task bar, we checked the tray, we see that there is a destructive process running. We're going to pull the plug from the back of the computer. If you are working with a laptop, you must also remove the battery. If you cannot remove the battery, if it's a Surface Pro or another laptop where you cannot remove the battery, hard shut the computer as fast as you can, hold down the power button. Also, another step we're going to take to preserve the evidence is we're going to isolate it from radio RF, from wireless signal and from Bluetooth signal. So we're going to use some type of RF shielding like a Faraday bag. Faraday is a brand name, there are other companies that make RF shielding bags and this is to prevent remote wiping of course and alteration of the evidence. If we have a device that is powered on we wanted to stay powered on. So we need a portable battery or another portable power supply. Because power loss can cause data loss, and it can also trigger the computer locking, if it loses power or can trigger encryption kicking in. If those encrypted drives were open, they're not going to be anymore. So there may be times when you need to prevent power loss, so make sure you have a portable battery or another portable supply with you in your evidence kit. Write protection. Always use write protection when working with the original evidence. And I'm talking about preview and live imaging. Use write protection as much as possible, and we're doing this to prevent changes to the original evidence. But if you can't use write protection because there's going to be sometimes and you can't, it's just not physically possible, document the changes that you are making to the original evidence. And here is where knowing your software, knowing your tools comes into play. So you might have to do some testing and validating in your lab to figure out what changes your particular type of software is making. I can tell you any time you plug in USB device into a computer, you're making changes to the registry and we'll talk more about that, throughout this course. In our next module, we're going to talk about live box versus dead box evidence collection.