Check out our companion blog!
Aug. 12, 2024

Ransomware Forensics: Preserving Digital Evidence

In this episode of The Backup Wrap-Up, we delve into the crucial world of ransomware forensics with cybersecurity expert Mike Saylor. We explore the essential steps and tools used in forensic analysis during a cyber attack, highlighting the importance of preserving evidence and navigating the complexities of both traditional and mobile device forensics.

From log preservation to forensic imaging, we discuss how organizations can prepare for and respond to ransomware incidents. Mike shares insights on the different forensic tools available, their applications, and the challenges faced in modern cybersecurity investigations. We also touch on the importance of having a forensic response plan in place before an attack occurs.

Whether you're an IT professional or simply interested in cybersecurity, this episode offers valuable knowledge about the forensic processes that help unravel cyber attacks and protect valuable data. Tune in to enhance your understanding of ransomware forensics and strengthen your organization's cyber defenses.

Transcript

Speaker:

W. Curtis Preston: You found the backup wrap up your go-to podcast for all things

 

 


Speaker:

backup recovery and cyber recovery.

 

 


Speaker:

In this episode, we explore the crucial world of ransomware forensics with

 

 


Speaker:

cybersecurity expert Mike Saylor.

 

 


Speaker:

We cover why forensics is important during a cyber attack, the essential steps and

 

 


Speaker:

tools you need to do the job, and we shed light on how organizations can prepare

 

 


Speaker:

for and respond to ransomware incidents.

 

 


Speaker:

From preserving critical evidence to navigating the complexities of

 

 


Speaker:

mobile device forensics, this episode will explain how to use ransomware

 

 


Speaker:

forensics to unravel cyber attacks and protect your valuable data.

 

 


Speaker:

By the way, if you have no idea who I am, hi, I'm w Curtis Preston, AKA, Mr.

 

 


Speaker:

Backup,

 

 


Speaker:

and I've been passionate about backup and recovery and related topics ever since.

 

 


Speaker:

I had to tell my boss that we had lost the production database

 

 


Speaker:

and had no backup for it.

 

 


Speaker:

I don't want that to happen to me.

 

 


Speaker:

I don't want that to happen to you, and that's why I do this podcast.

 

 


Speaker:

Here we turn Unappreciated backup admins into cyber recovery Heroes.

 

 


Speaker:

This is the backup wrap up.

 

 


Speaker:

Welcome to the show.

 

 


Speaker:

Before I continue, if I could ask you to press that subscribe or follow

 

 


Speaker:

button so that you'll continue to get.

 

 


Speaker:

Our amazing content I am w Curtis Preston, AKA, Mr.

 

 


Speaker:

Backup, and I have with me my power loss counselor Prassanna

 

 


Speaker:

Malaiyandi, how's it going prasanna.

 

 


Prasanna Malaiyandi:

I'm doing well, Curtis, I know you, not so much,

 

 


Prasanna Malaiyandi:

but hey, isn't solar and batteries and everything else supposed to

 

 


Prasanna Malaiyandi:

solve all these issues for you?

 

 


Prasanna Malaiyandi:

W. Curtis Preston: I, I was a, as you know, I've been working on behalf

 

 


Prasanna Malaiyandi:

of this one customer and we've been conducting the first ever backup

 

 


Prasanna Malaiyandi:

of some really important data.

 

 


Prasanna Malaiyandi:

Um, and it's like 500 terabytes of data, and we're down to the, we're kind of down

 

 


Prasanna Malaiyandi:

to the, I think the, the, the finish line.

 

 


Prasanna Malaiyandi:

And, uh, I had, I'm running a bunch of backups and I had divvied the backups up

 

 


Prasanna Malaiyandi:

into thousands of little policies because for many, many reasons, and some of those

 

 


Prasanna Malaiyandi:

policies were still, even though they were backing up, only a single sub, sub

 

 


Prasanna Malaiyandi:

subdirectory, they've been running for like 10 days when I lost power yesterday.

 

 


Prasanna Malaiyandi:

When the customer lost power

 

 


Prasanna Malaiyandi:

Ouch.

 

 


Prasanna Malaiyandi:

W. Curtis Preston: rebooting And there is no

 

 


Prasanna Malaiyandi:

my question for you

 

 


Prasanna Malaiyandi:

is why is there no resume functionality for.

 

 


Prasanna Malaiyandi:

W. Curtis Preston: there is in uh, so in this particular

 

 


Prasanna Malaiyandi:

customer, we're using that backup.

 

 


Prasanna Malaiyandi:

There is a resume functionality in that backup, but not for SMB.

 

 


Prasanna Malaiyandi:

Our network based backup.

 

 


Prasanna Malaiyandi:

So we're doing, we're backing up over s and b.

 

 


Prasanna Malaiyandi:

Um, we, we tried s and b and NFS, uh, we're backing up over s and b

 

 


Prasanna Malaiyandi:

and there's no resume functionality.

 

 


Prasanna Malaiyandi:

So I will start over.

 

 


Prasanna Malaiyandi:

Um, and we will have lost 10 days and this backup that is taking forever.

 

 


Prasanna Malaiyandi:

Good times.

 

 


Prasanna Malaiyandi:

Prasanna Malaiyandi: I am sorry Curtis, but

 

 


Prasanna Malaiyandi:

in,

 

 


Prasanna Malaiyandi:

W. Curtis Preston: That's all.

 

 


Prasanna Malaiyandi:

That's all I needed to hear.

 

 


Prasanna Malaiyandi:

Prasanna was somebody.

 

 


Prasanna Malaiyandi:

Say there.

 

 


Prasanna Malaiyandi:

Sorry.

 

 


Prasanna Malaiyandi:

Oh, goodness gracious.

 

 


Prasanna Malaiyandi:

But as I told you this morning, when I texted you, at least I found out

 

 


Prasanna Malaiyandi:

that the reboot that was not my fault

 

 


Prasanna Malaiyandi:

Yes, it was not the server randomly

 

 


Prasanna Malaiyandi:

W. Curtis Preston: was not, the server was not,

 

 


Prasanna Malaiyandi:

yeah.

 

 


Prasanna Malaiyandi:

oh, I'll, I asked you first it was like, was it CrowdStrike?

 

 


Prasanna Malaiyandi:

W. Curtis Preston: Yeah.

 

 


Prasanna Malaiyandi:

Yeah.

 

 


Prasanna Malaiyandi:

was not, it was not CrowdStrike.

 

 


Prasanna Malaiyandi:

It is a window server, but it was not CrowdStrike.

 

 


Prasanna Malaiyandi:

Uh, CrowdStrike is not running on the server.

 

 


Prasanna Malaiyandi:

I did check that, by the way.

 

 


Prasanna Malaiyandi:

But, uh, anyway, but speaking of the cyber world, we once again have

 

 


Prasanna Malaiyandi:

our friend of the pod, Mike Sailor, uh, uh, joining with us today.

 

 


Prasanna Malaiyandi:

How's it going, Mike?

 

 


Mike Saylor:

Afternoon, I'm well.

 

 


Mike Saylor:

W. Curtis Preston: So, uh, we're gonna, and, and for those of you

 

 


Mike Saylor:

that follow the show, you're gonna see a lot of mike, uh, over the next

 

 


Mike Saylor:

little bit, uh, because we're diving deep, diving deep into the world of

 

 


Mike Saylor:

responding to a ransomware attack.

 

 


Mike Saylor:

And today we're gonna talk about the forensics phase.

 

 


Mike Saylor:

So, uh, Mike.

 

 


Mike Saylor:

What, what do we mean when we say that?

 

 


Mike Saylor:

Why would we be doing forensics in the middle of a cyber attack?

 

 


Mike Saylor:

Well, uh, it's a great way to collect evidence in a, in a

 

 


Mike Saylor:

safe, uh, controlled environment.

 

 


Mike Saylor:

And so forensics creates a read-only image of, of your target.

 

 


Mike Saylor:

So whether it's a whole machine or a particular file or object, uh.

 

 


Mike Saylor:

We create an image of that that's read only so we can play with it

 

 


Mike Saylor:

and look at it and not have to worry about it executing more malware

 

 


Mike Saylor:

or trying to do what malware does.

 

 


Mike Saylor:

But, so there's one thing.

 

 


Mike Saylor:

So some, some safe analysis.

 

 


Mike Saylor:

We can build a sandbox.

 

 


Mike Saylor:

The other part of that is, uh, in that analysis, we, we can learn things about,

 

 


Mike Saylor:

um, you know, particular, uh, artifact.

 

 


Mike Saylor:

So if it's malware, uh.

 

 


Mike Saylor:

Uh, is there any metadata that would indicate, you know, the type

 

 


Mike Saylor:

of malware where it came from?

 

 


Mike Saylor:

Uh, is the signature or hash value of this malware similar to other, um,

 

 


Mike Saylor:

other cases using the same malware?

 

 


Mike Saylor:

But then if we expand that from just that object or artifact into the, like

 

 


Mike Saylor:

an entire system, uh, forensically without having to change, so.

 

 


Mike Saylor:

I guess fundamentally I'll add, uh, forensics allows us to interact

 

 


Mike Saylor:

with, with evidence without changing any of that metadata.

 

 


Mike Saylor:

So if you log into a machine to review what happened to this machine, you're

 

 


Mike Saylor:

also changing data in the machine.

 

 


Mike Saylor:

You're, you're, you're, you're stepping on evidence potentially,

 

 


Mike Saylor:

or changing.

 

 


Mike Saylor:

W. Curtis Preston: what's the, there, there's a thing in science, the

 

 


Mike Saylor:

observational effect for something.

 

 


Mike Saylor:

There's a, there's a word for that.

 

 


Mike Saylor:

Yep.

 

 


Mike Saylor:

So once you interact with, with

 

 


Mike Saylor:

it, it changes,

 

 


Mike Saylor:

Right.

 

 


Mike Saylor:

So observation, simple observation.

 

 


Mike Saylor:

Sometimes, uh, uh, muddies the water.

 

 


Mike Saylor:

So creating forensic image of, of whatever it is, allows you to play

 

 


Mike Saylor:

with it and, and interact with it without changing the fundamental

 

 


Mike Saylor:

evidence of any attributes or metadata.

 

 


Mike Saylor:

It.

 

 


Mike Saylor:

So if I, if if a machine as an example, uh, since we're talking about incident

 

 


Mike Saylor:

response, if a machine is infected or, or we suggest something or we suspect

 

 


Mike Saylor:

something happened, compromised, uh, employee downloaded a bunch of data on

 

 


Mike Saylor:

their last day, whatever, whatever our suspicion is that led us to this machine,

 

 


Mike Saylor:

if we do a forensic image of that, a couple of things, uh, are important,

 

 


Mike Saylor:

uh, about that one, we can review all that stuff without changing anything.

 

 


Mike Saylor:

So if we.

 

 


Mike Saylor:

If we need to hand it over to legal counsel or it goes to court

 

 


Mike Saylor:

prosecution, any of that stuff.

 

 


Mike Saylor:

It, it is in the state.

 

 


Mike Saylor:

It was, uh, whenever that event happened.

 

 


Mike Saylor:

The other thing that allows us to do is determine attributes

 

 


Mike Saylor:

of certain activities.

 

 


Mike Saylor:

So if it's malware, ransomware, as an example, how did it get on this machine?

 

 


Mike Saylor:

What did the log files say?

 

 


Mike Saylor:

What is the, uh.

 

 


Mike Saylor:

What network was it on?

 

 


Mike Saylor:

Was it attached to a wifi?

 

 


Mike Saylor:

Where did it go?

 

 


Mike Saylor:

What connections did it make from this machine to other machines?

 

 


Mike Saylor:

There's a lot of good stuff, uh, that you're able to dig into.

 

 


Mike Saylor:

Uh, if you have the right tools and you know where to look.

 

 


Prasanna Malaiyandi:

So when you say forensic image, what exactly do you mean?

 

 


Prasanna Malaiyandi:

Right.

 

 


Prasanna Malaiyandi:

Is it just like, 'cause I know we've talked, especially on this

 

 


Prasanna Malaiyandi:

podcast previously about like snapshots and backups and everything

 

 


Prasanna Malaiyandi:

else, but that's sort of like copying the data out sometimes.

 

 


Prasanna Malaiyandi:

Like if you're doing an image-based copy.

 

 


Prasanna Malaiyandi:

Of like a virtual machine, you get a virt, uh, duplicate

 

 


Prasanna Malaiyandi:

copy of that virtual machine.

 

 


Prasanna Malaiyandi:

Is there something different when you talk about forensic image that

 

 


Prasanna Malaiyandi:

goes beyond just sort of taking a copy of like a virtual machine?

 

 


Mike Saylor:

There's a couple of things that, that make the term

 

 


Mike Saylor:

forensic imaging a little different.

 

 


Mike Saylor:

One forensic, the forensic part of that term is really just the

 

 


Mike Saylor:

discipline, understanding how to approach and, and conduct, uh, a

 

 


Mike Saylor:

forensic imaging, um, in a, in that, in that approved manner, you've got

 

 


Mike Saylor:

a formal

 

 


Prasanna Malaiyandi:

you don't change things right, like you

 

 


Prasanna Malaiyandi:

were talking about previously.

 

 


Mike Saylor:

It's consistent.

 

 


Mike Saylor:

So if it goes to court as a forensic expert, I can say I did this the

 

 


Mike Saylor:

way that I've done all of them.

 

 


Mike Saylor:

And there's this documented formal process that's, you know, approved and

 

 


Mike Saylor:

and known by industry and accepted in court cases and that kind of thing.

 

 


Mike Saylor:

So there's the discipline of forensics that lends itself

 

 


Mike Saylor:

to the forensic imaging term.

 

 


Mike Saylor:

Uh, more specifically it's called forensic acquisition.

 

 


Mike Saylor:

Uh, so we're acquiring the data and the way that we're acquiring

 

 


Mike Saylor:

it is through a forensic.

 

 


Mike Saylor:

Least sound imaging process.

 

 


Mike Saylor:

Now, another, another term, uh, that, and, and this goes back to just normal, like

 

 


Mike Saylor:

investigative processes is best evidence.

 

 


Mike Saylor:

And so for example, if, if, uh, I'm working on a MacBook Pro that's

 

 


Mike Saylor:

got a, an integrated storage DR.

 

 


Mike Saylor:

Drive and it's encrypted and there's just, they.

 

 


Mike Saylor:

And I, and I'm time constrained or resource constrained, or the

 

 


Mike Saylor:

building's on fire or whatever it is, I'm not gonna be able to do a a, a

 

 


Mike Saylor:

sound forensic image of that laptop.

 

 


Mike Saylor:

What would be better and more timely and possibly as valuable?

 

 


Mike Saylor:

Best evidence would be an iTunes backup.

 

 


Prasanna Malaiyandi:

Hmm.

 

 


Mike Saylor:

Let's do an iTunes backup before this building burns down, and I run

 

 


Mike Saylor:

outta time, and that is the best evidence I had the ability to get at that moment.

 

 


Mike Saylor:

You mentioned snapshots or even other backups?

 

 


Mike Saylor:

Um, we, we, back in the day when, when we were doing a lot of email forensics,

 

 


Mike Saylor:

we were, we would do two, we would do the local PST file and then the, the

 

 


Mike Saylor:

backup, uh, from the exchange server.

 

 


Mike Saylor:

W. Curtis Preston: Yeah.

 

 


Mike Saylor:

there's, those are good evidence, one or the other.

 

 


Mike Saylor:

W. Curtis Preston: It probably falls, uh, Mike, it probably falls in, you

 

 


Mike Saylor:

know, a lot of stuff we talk about here.

 

 


Mike Saylor:

We talk about good, better, best, right?

 

 


Mike Saylor:

So, you know, good, you know, not good is nothing.

 

 


Mike Saylor:

Right.

 

 


Mike Saylor:

Good is something right.

 

 


Mike Saylor:

So like, you know, said like the PST files, uh, maybe an iTunes backup, maybe

 

 


Mike Saylor:

any kind of backup that would help prove the, the whatever it is, the thing that

 

 


Mike Saylor:

you're trying to prove or investigate the thing you're trying to investigate.

 

 


Mike Saylor:

The next level, I would think would be an image of the hard drive, like

 

 


Mike Saylor:

a full image of the hard drive.

 

 


Mike Saylor:

The next level beyond that would be the full image of the hard drive plus.

 

 


Mike Saylor:

The, the image of the memory at the time of the system running right.

 

 


Mike Saylor:

Um,

 

 


Mike Saylor:

And

 

 


Mike Saylor:

so that, that discipline, that discipline lends itself to your

 

 


Mike Saylor:

understanding as a forensics expert of, of how to approach this situation.

 

 


Mike Saylor:

If the computer's on, yeah, I can do a memory dump of that if it's

 

 


Mike Saylor:

not on, well, it's not even probable

 

 


Mike Saylor:

unless, you know, the virtual, the, uh, like the, the drive, uh, storage

 

 


Mike Saylor:

drive cache, uh, but also understanding the, the fundamentals of the device.

 

 


Mike Saylor:

Your, your target is, I mean, is it a.

 

 


Mike Saylor:

Can I take the hard drive out of this?

 

 


Mike Saylor:

Is it sd?

 

 


Mike Saylor:

Is it, you know, mechanical?

 

 


Mike Saylor:

Is it flash, is it integrated?

 

 


Mike Saylor:

Um, all of those things are important.

 

 


Mike Saylor:

Uh, one thing I'll just add real quick to best e evidence, it's also, uh, and

 

 


Mike Saylor:

I, I alluded to this in my example of the, the house is on fire, what have

 

 


Mike Saylor:

you, but it's also, uh, logistics.

 

 


Mike Saylor:

So if, if, if the, if the case is in, you know, in Europe.

 

 


Mike Saylor:

The likelihood that we're gonna timely be able to get a forensic image of

 

 


Mike Saylor:

that device is, uh, is pretty limited.

 

 


Mike Saylor:

You know, they, we, I've either gotta send somebody there or

 

 


Mike Saylor:

they've gotta ship it to me.

 

 


Mike Saylor:

Uh, and in both cases you've got some logistics.

 

 


Mike Saylor:

So if it's a virtual environment, just take a snapshot, upload it through

 

 


Mike Saylor:

a cloud, make it available to me, I can pull it down or work on it.

 

 


Mike Saylor:

Um, and so those are also acceptable alternatives.

 

 


Mike Saylor:

W. Curtis Preston: don't, those don't, those snapshots in a virtual

 

 


Mike Saylor:

environment that they usually contain, uh, the memory image, right.

 

 


Mike Saylor:

From the virtual environment,

 

 


Mike Saylor:

they typically do your

 

 


Mike Saylor:

W. Curtis Preston: Yeah.

 

 


Mike Saylor:

Yeah.

 

 


Mike Saylor:

Yep.

 

 


Mike Saylor:

Yep.

 

 


Prasanna Malaiyandi:

So as you're describing all of this, Mike, I was

 

 


Prasanna Malaiyandi:

just thinking this is something that's like way outside the scope of like

 

 


Prasanna Malaiyandi:

what a normal IT person does, right?

 

 


Prasanna Malaiyandi:

Just even thinking about like how do I even approach this?

 

 


Prasanna Malaiyandi:

Maybe you might get some of this from like the secure, like a security person,

 

 


Prasanna Malaiyandi:

but just like an IT generalist probably.

 

 


Prasanna Malaiyandi:

Isn't thinking about things in this way, right?

 

 


Prasanna Malaiyandi:

They're probably thinking about how do I quickly recover my

 

 


Prasanna Malaiyandi:

machine if it was down right?

 

 


Prasanna Malaiyandi:

How do I get people back up and running?

 

 


Prasanna Malaiyandi:

Not necessarily how do I preserve evidence to figure out what went on?

 

 


Mike Saylor:

Yep.

 

 


Mike Saylor:

And it's, uh, I, I've seen it implemented just as normal standard

 

 


Mike Saylor:

operating procedure in some, some environments, uh, where every

 

 


Mike Saylor:

employee that leaves, they do an image

 

 


Mike Saylor:

of that laptop so that they can preserve that.

 

 


Mike Saylor:

They then they, uh, rebuild the machine and put it out.

 

 


Mike Saylor:

Uh, redistribute it.

 

 


Mike Saylor:

Uh, so that if, and that, and that's, uh, for, for it to become more efficient.

 

 


Mike Saylor:

So they're not, they don't have this, this laptop on a shelf somewhere for some,

 

 


Mike Saylor:

you know, 34, 5 days until management decides they don't need anything.

 

 


Mike Saylor:

The day that they, they separate, they get that laptop back, they

 

 


Mike Saylor:

image it takes a couple of hours, uh, they're then able to rebuild it.

 

 


Mike Saylor:

So by the end of the same day, they're able to re redistribute that image

 

 


Mike Saylor:

or that that laptop and then preserve that image on, on a server somewhere.

 

 


Mike Saylor:

In case it's needed in the future.

 

 


Mike Saylor:

W. Curtis Preston: Yeah, it's, it's a very different.

 

 


Mike Saylor:

Um, like, like you said, broan, it's a very different discipline than

 

 


Mike Saylor:

backup and recovery, even though it's kind of a backup, it's just a backup

 

 


Mike Saylor:

done for a very different purpose.

 

 


Mike Saylor:

It's just like archive.

 

 


Mike Saylor:

Archive is kind of like a backup but done for a very different purpose.

 

 


Mike Saylor:

Right.

 

 


Mike Saylor:

This is, this is kind of like an archive.

 

 


Mike Saylor:

'cause you're, you're basically making a one time copy of the drive,

 

 


Mike Saylor:

um, for the, for the purposes of.

 

 


Mike Saylor:

Other things, you're not doing it generally, you're not doing it.

 

 


Mike Saylor:

Um, that the, the departing employee defense thing, uh, Mike, maybe one

 

 


Mike Saylor:

of those where there's dual purposes, you may need that image later

 

 


Mike Saylor:

because you accuse the, the, the, um, the employee of doing something.

 

 


Mike Saylor:

You may need that image later when you find out, oh crap.

 

 


Mike Saylor:

The, uh,

 

 


Prasanna Malaiyandi:

They had a file.

 

 


Prasanna Malaiyandi:

W. Curtis Preston: he was the only guy working on the empty squad

 

 


Prasanna Malaiyandi:

project, and it's only on its laptop.

 

 


Prasanna Malaiyandi:

Well, first off, that was an it fail, but.

 

 


Prasanna Malaiyandi:

That may be a reason to use your use, use your forensic image for something else.

 

 


Prasanna Malaiyandi:

But in this case, primarily what we're talking about, right, is we're

 

 


Prasanna Malaiyandi:

in the midst of a cyber attack.

 

 


Prasanna Malaiyandi:

We're going to get, you know, I, I like your term best evidence.

 

 


Prasanna Malaiyandi:

We're gonna get the best copy that we can of the environment that we believe is,

 

 


Prasanna Malaiyandi:

is, uh, subject to this attack so that we can use that for multiple purposes.

 

 


Prasanna Malaiyandi:

You talked about.

 

 


Prasanna Malaiyandi:

I like that first one.

 

 


Prasanna Malaiyandi:

You talked about taking that image and putting it into, when you first said it,

 

 


Prasanna Malaiyandi:

I, I didn't understand what you meant.

 

 


Prasanna Malaiyandi:

You said you, you said something like, it allows you to interact

 

 


Prasanna Malaiyandi:

with it in a, in a safe environment or a controlled environment.

 

 


Prasanna Malaiyandi:

I was like, whatcha talking about controlled environment?

 

 


Prasanna Malaiyandi:

We're in the midst of a cyber attack here.

 

 


Prasanna Malaiyandi:

But you're talking about taking that image and moving it to a different

 

 


Prasanna Malaiyandi:

environment where you have more control over the, over, over, the network.

 

 


Prasanna Malaiyandi:

Is that that what you meant?

 

 


Mike Saylor:

OO over the, over the image that you're,

 

 


Mike Saylor:

you're playing with.

 

 


Mike Saylor:

But, but forensics tools also allow you to, to rebuild an environment.

 

 


Mike Saylor:

So if I image.

 

 


Mike Saylor:

You know, four net networked PCs, then I can, I can load all of those

 

 


Mike Saylor:

images into one case in my forensics tool and view all of the data across

 

 


Mike Saylor:

all of those images concurrently.

 

 


Mike Saylor:

I don't have to treat them as individually.

 

 


Mike Saylor:

It becomes one big data set.

 

 


Mike Saylor:

And the other thing I'll add too is that, um, you know, fundamentally, uh.

 

 


Mike Saylor:

And that is consistent today.

 

 


Mike Saylor:

Even the, some of the tools that forensics, uh, practitioners use

 

 


Mike Saylor:

are, uh, the, the fundamental capabilities are based on traditional

 

 


Mike Saylor:

system tools like DD and the Linux

 

 


Mike Saylor:

Unix environment, uh, ghost and, and SIS tools in the Windows environment.

 

 


Mike Saylor:

I mean, that's, those are tools we used, you know, 20 years ago to to do imaging.

 

 


Mike Saylor:

Um, and then today, so today a lot of the forensics imaging tools,

 

 


Mike Saylor:

some of them are available free, uh, because they want you to then use

 

 


Mike Saylor:

their, their expensive analysis tool.

 

 


Mike Saylor:

Um, but to your point about, uh, the, the normal IT or ops person not being familiar

 

 


Mike Saylor:

with forensics, I think they are, again, to your comment about the, from the, from

 

 


Mike Saylor:

a backup perspective or cloning or a.

 

 


Mike Saylor:

Uh, you know, imaging, you know, I, I've, I've created a, i, I

 

 


Mike Saylor:

built a laptop and this is the way I want all my laptops to be.

 

 


Mike Saylor:

So I made this golden image, but then I'm gonna apply on every laptop we build

 

 


Mike Saylor:

and distribute same, same principle and some of the same fundamental tools.

 

 


Mike Saylor:

Um,

 

 


Mike Saylor:

W. Curtis Preston: I like,

 

 


Mike Saylor:

I think.

 

 


Mike Saylor:

W. Curtis Preston: I like the comment that you talked about and you, you

 

 


Mike Saylor:

reminded me because when you make that forensic image with some exceptions,

 

 


Mike Saylor:

that that image is really just an image of a hard drive that can be mounted and

 

 


Mike Saylor:

accessed without actually running the operating system of that hard drive.

 

 


Mike Saylor:

So if you can get.

 

 


Mike Saylor:

You know, obviously if it's encrypted, if it, you know, there's some scenarios

 

 


Mike Saylor:

where this doesn't work, but in many cases you're talking about putting

 

 


Mike Saylor:

those forensic images into a case in a forensic, uh, what would you call that?

 

 


Mike Saylor:

A discovery tool?

 

 


Mike Saylor:

What would you call it?

 

 


Mike Saylor:

Forensic analysis tool, right?

 

 


Mike Saylor:

Processing and analysis are

 

 


Mike Saylor:

the next couple of.

 

 


Mike Saylor:

W. Curtis Preston: And you can interact with those images and you can look at

 

 


Mike Saylor:

the files that are on those images.

 

 


Mike Saylor:

Without actually doing further risk by actually running those

 

 


Mike Saylor:

images as a, as a machine.

 

 


Prasanna Malaiyandi:

Or I think in addition, you could also, like,

 

 


Prasanna Malaiyandi:

uh, Mike was saying you could run those images if you wanted to

 

 


Prasanna Malaiyandi:

say, for instance, understand the interactions between those four network

 

 


Prasanna Malaiyandi:

W. Curtis Preston: You Yeah.

 

 


Prasanna Malaiyandi:

talking about in a

 

 


Prasanna Malaiyandi:

safe manner, right?

 

 


Prasanna Malaiyandi:

W. Curtis Preston: yeah, you,

 

 


Prasanna Malaiyandi:

can.

 

 


Prasanna Malaiyandi:

I'm just saying you don't have to necessarily, depending

 

 


Prasanna Malaiyandi:

on what you're, uh, and it

 

 


Prasanna Malaiyandi:

Trying to accomplish,

 

 


Prasanna Malaiyandi:

W. Curtis Preston: occur to me until he was talking about putting them in

 

 


Prasanna Malaiyandi:

a case in that, um, analysis tool.

 

 


Mike Saylor:

So imagine, imagine as an IT ops person, uh, you've got an issue

 

 


Mike Saylor:

with a, uh, a workstation and you've gotta go and, and interact with this.

 

 


Mike Saylor:

But be careful not to change anything while you're also searching for whatever

 

 


Mike Saylor:

it might be, a hash value, uh, reviewing logs to determine what happened in a

 

 


Mike Saylor:

period of time, uh, and then correlating those log entries to well, alright,

 

 


Mike Saylor:

so this, the log says this happened.

 

 


Mike Saylor:

Now let me go look in the, in all the file structure and do some, you know, power

 

 


Mike Saylor:

shell or whatever searches you're gonna do to see what correlates to that log entry.

 

 


Mike Saylor:

Imagine how much time that would take you

 

 


Mike Saylor:

W. Curtis Preston: Right.

 

 


Mike Saylor:

with forensics, I'm just going to image the whole machine and,

 

 


Mike Saylor:

and one thing I'll make clear too, there are different types of forensic imaging.

 

 


Mike Saylor:

There is whole disc imaging.

 

 


Mike Saylor:

And then there's targeted imaging.

 

 


Mike Saylor:

So maybe, uh, and this is important in like cloud and, and multi-tenant

 

 


Mike Saylor:

environments where I just want one VM or one piece of the vm because that's

 

 


Mike Saylor:

what my, my warrant allows me, or the scope of my investigation allows me.

 

 


Mike Saylor:

I can't go outside of that or shouldn't, but if, uh, if I do a,

 

 


Mike Saylor:

a bit for bit, you know, first bit to last bit physical image of a, of

 

 


Mike Saylor:

a drive or a of a, of a device, I.

 

 


Mike Saylor:

Um, the next step in forensics, uh, the forensics process is processing.

 

 


Mike Saylor:

It's also called indexing.

 

 


Mike Saylor:

So I'm using my forensic software to analyze every bit of data from start

 

 


Mike Saylor:

to finish, even the empty space.

 

 


Mike Saylor:

And it indexes that into, well, it creates an index.

 

 


Mike Saylor:

So for example, in, in my forensics tool, if I'm looking for the

 

 


Mike Saylor:

occurrence of the word apple.

 

 


Mike Saylor:

As I type the word apple, my results automatically in real time updates.

 

 


Mike Saylor:

So when I type the letter A, I've got 7 million results, and as I finish typing

 

 


Mike Saylor:

that word, it tells me specific to Apple, not just how many occurrences,

 

 


Mike Saylor:

but where in the entire dataset.

 

 


Mike Saylor:

I could have one computer, I could have a hundred, as long as they're

 

 


Mike Saylor:

part of the same case, it will give me results across all of the different

 

 


Mike Saylor:

data sets that I selected That.

 

 


Mike Saylor:

Query to hit, and then I can apply more, uh, criteria like, uh, the word

 

 


Mike Saylor:

apple specific to metadata related to a specific SID uh, or user, uh, within a

 

 


Mike Saylor:

period of time on a particular piece of evidence related to some other attribute.

 

 


Mike Saylor:

And so now you can see the power of that in real time.

 

 


Mike Saylor:

They call that a live or an index search.

 

 


Mike Saylor:

You can also do a live search while indexing is happening,

 

 


Mike Saylor:

but it slows stuff down.

 

 


Mike Saylor:

But I.

 

 


Mike Saylor:

It'll, it could take, depending on the size of the device, the, the storage.

 

 


Mike Saylor:

Uh, it could take a couple of hours to do the imaging.

 

 


Mike Saylor:

It could take another couple of hours to do the indexing and processing,

 

 


Mike Saylor:

but you could be doing other stuff while the machine's doing its thing.

 

 


Mike Saylor:

And then when you sit down to do your investigation, it's almost in real time.

 

 


Mike Saylor:

And it, some of the forensics tools now will do timelines for you.

 

 


Mike Saylor:

Uh, they'll extrapolate all the media images and, and I mean, you can,

 

 


Mike Saylor:

every, every attribute of data you can think of, you can search on and

 

 


Mike Saylor:

create, you know, complex queries on.

 

 


Mike Saylor:

W. Curtis Preston: So,

 

 


Mike Saylor:

let's, let's, let's talk about, um, some of the things that you, you know, again,

 

 


Mike Saylor:

talking about good, better, best, right?

 

 


Mike Saylor:

So if you're in the midst of a cyber attack, what.

 

 


Mike Saylor:

Are the things that you really have to make sure you don't

 

 


Mike Saylor:

lose, if at all possible?

 

 


Mike Saylor:

I'm thinking number one would be logs.

 

 


Mike Saylor:

Uh, obviously what we, what we want is a, is a forensic image of every

 

 


Mike Saylor:

machine that we think is, is, suspect that it, that it looks like it might

 

 


Mike Saylor:

have be involved in this attack.

 

 


Mike Saylor:

That's what we want.

 

 


Mike Saylor:

Is there, is there things that we should grab, like logs?

 

 


Mike Saylor:

Um, like the, the first thing that we grab to make sure that we, we get that.

 

 


Mike Saylor:

Um, is there stuff like that besides the logs?

 

 


Mike Saylor:

Certainly, and, and, and it, it may change from situation to situation,

 

 


Mike Saylor:

but preserving logs is paramount because one, as you guys probably know, a lot

 

 


Mike Saylor:

of environments don't have good log settings, so they're overwritten, uh,

 

 


Mike Saylor:

usually based off volume, not by.

 

 


Mike Saylor:

Age.

 

 


Mike Saylor:

And so in a cyber attack, you can imagine the volume of logs

 

 


Mike Saylor:

is gonna go up exponentially.

 

 


Mike Saylor:

So the likelihood that the, uh, the initial, the initialization of

 

 


Mike Saylor:

that attack, the logs related to that are preserved is, is small.

 

 


Mike Saylor:

If you don't catch it and preserve those, those, those logs timely.

 

 


Mike Saylor:

And we want every log we want firewall, router, switch, nas.

 

 


Mike Saylor:

Uh, everything you can think of from external to, you know, from the, from

 

 


Mike Saylor:

your perimeter all the way into these, uh, potentially compromised machines.

 

 


Mike Saylor:

We want all those logs, uh, even exchange, uh, or Office 365, all that stuff.

 

 


Mike Saylor:

Just you need, you need a, a log, uh, log preservation archiving,

 

 


Mike Saylor:

SOP that just says, when bad stuff happens, here's everything we need to

 

 


Mike Saylor:

preserve and where we're gonna put it.

 

 


Mike Saylor:

Which is also something to think about because if your network's compromised and

 

 


Mike Saylor:

you're gonna consolidate all these logs into a network location, well, bad guys

 

 


Mike Saylor:

could just, well, I'll just wait until they're done and delete all of that.

 

 


Mike Saylor:

Um, so there's,

 

 


Mike Saylor:

W. Curtis Preston: everything all in one place.

 

 


Mike Saylor:

Now let me blow that place up.

 

 


Mike Saylor:

Bad guys are lazy, I'm telling you.

 

 


Mike Saylor:

Um, but then also depending on, like, there's a, there was a big credit union

 

 


Mike Saylor:

hack, uh, compromised recently, and it was determined that the source of

 

 


Mike Saylor:

that attack came from a mobile phone.

 

 


Mike Saylor:

It was a, a network user that interacted with a.

 

 


Mike Saylor:

Uh, it was either a website or an email.

 

 


Mike Saylor:

Uh, is a, it was a, a no click malware that infected the phone.

 

 


Mike Saylor:

And then because the phone was on the production network, it was able to spread.

 

 


Mike Saylor:

Uh, who would've thought to go back and get an image of that phone

 

 


Prasanna Malaiyandi:

Yeah,

 

 


Mike Saylor:

or that tablet?

 

 


Mike Saylor:

Uh, so it does, it does.

 

 


Mike Saylor:

There are some nuances based on what the situation is, but

 

 


Mike Saylor:

fundamentally, you're right, Curtis, uh, preserving the logs is very

 

 


Mike Saylor:

W. Curtis Preston: Is there anything that's just beyond that?

 

 


Mike Saylor:

So you can go to your ISP 'cause they, they typically have some

 

 


Mike Saylor:

data, uh, depending on the, the service that you, uh, you subscribe to, uh, and

 

 


Mike Saylor:

your, your ISPs, uh, operating procedures, a lot of times they'll drop, they'll drop

 

 


Mike Saylor:

known bad traffic before it gets to you.

 

 


Mike Saylor:

Well then bad guys are just figuring that out.

 

 


Mike Saylor:

We're gonna try this, this, this, this, this, and this.

 

 


Mike Saylor:

Until we find the, the, the secret sauce or the recipe or, you know, whatever

 

 


Mike Saylor:

it is, that allows me to finally talk to the target, the victim network.

 

 


Mike Saylor:

Uh, and so the ISP may have some log data that predates, uh, the actual attack.

 

 


Mike Saylor:

And that could be important 'cause you'll see bad guys change IP addresses and, and

 

 


Mike Saylor:

uh, and hosts and all that good stuff.

 

 


Mike Saylor:

Uh, so that, that's, that's valuable information too, to.

 

 


Mike Saylor:

Uh, potentially block future attacks.

 

 


Mike Saylor:

Um, the other, the other areas to consider too, um, is, is who do you outsource

 

 


Mike Saylor:

or rely on from a service perspective?

 

 


Mike Saylor:

If you outsource, you know, your firewall management, uh, if you

 

 


Mike Saylor:

outsource your backups, if you outsource, if you have cloud environments

 

 


Mike Saylor:

and, uh, you have, uh, service providers that help you with those.

 

 


Mike Saylor:

Uh, if you have an it, if you have an MSP that helps, you know, does your, your

 

 


Mike Saylor:

help desk and some other, those, uh, some of those other services, that's gotta

 

 


Mike Saylor:

be part of your incident response plan.

 

 


Mike Saylor:

You know, not just preserving logs.

 

 


Mike Saylor:

And sometimes you may have to call those, those partners and service

 

 


Mike Saylor:

providers to get those logs archived.

 

 


Mike Saylor:

But again, you know, part of incident response is having all that figured out

 

 


Mike Saylor:

today, uh, before bad stuff happens.

 

 


Mike Saylor:

So you've got a, a good, a good playbook to

 

 


Mike Saylor:

run to run.

 

 


Prasanna Malaiyandi:

Is there, a recommendation?

 

 


Prasanna Malaiyandi:

So I know you've talked about how logs are super important in all of this.

 

 


Prasanna Malaiyandi:

Is there a recommendation on how long, I know you talked about sometimes people

 

 


Prasanna Malaiyandi:

do more volume-based than date-based for keeping logs, but is there sort of like.

 

 


Prasanna Malaiyandi:

A recommended practice in terms of how long they should keep their logs.

 

 


Prasanna Malaiyandi:

'cause speaking from the privacy side, which I'm very interested in, right,

 

 


Prasanna Malaiyandi:

there's sort of the downside of keeping too much data for too long, right?

 

 


Prasanna Malaiyandi:

Versus uh, not having enough data so you can do these incident

 

 


Prasanna Malaiyandi:

responses and where's that balance?

 

 


Mike Saylor:

There's a couple of parts to my answer there, and

 

 


Mike Saylor:

the first, the fundamental, uh, response is making sure your logs

 

 


Mike Saylor:

are configured, uh, appropriately.

 

 


Mike Saylor:

So our, we, we call that the value of your log data.

 

 


Mike Saylor:

So what's the value of the information your logs are collecting?

 

 


Mike Saylor:

Um, and that value could be business related.

 

 


Mike Saylor:

So when we review a log, we, we always ask, why are you logging that?

 

 


Mike Saylor:

Well, because we use it for X, Y, and Z.

 

 


Mike Saylor:

Okay?

 

 


Mike Saylor:

Uh, but if it's, if it's just a, I don't know, someone set, set it up

 

 


Mike Saylor:

that way, I'm not sure why we do that.

 

 


Mike Saylor:

Uh, so let's, let's have a conversation about in improving the value of your logs.

 

 


Mike Saylor:

So there's one thing, and that could reduce the size of logs, it

 

 


Mike Saylor:

could expand the size of logs, but nonetheless, it's more valuable.

 

 


Mike Saylor:

And that's both from a, like a, a, a detection perspective,

 

 


Mike Saylor:

uh, but also incident response.

 

 


Mike Saylor:

So, uh, logs are important for a lot of reasons.

 

 


Mike Saylor:

Uh, and then some regulatory, um, situations.

 

 


Mike Saylor:

Logs are

 

 


Mike Saylor:

required simply because of the business you're in, like

 

 


Mike Saylor:

financial, the financial sector.

 

 


Mike Saylor:

So making sure your logs are valuable is step one.

 

 


Mike Saylor:

Uh, and that could then dictate.

 

 


Mike Saylor:

How long you keep them based on the, the resulting log

 

 


Mike Saylor:

size.

 

 


Mike Saylor:

But ideally, you want, you want whatever that host is.

 

 


Mike Saylor:

Creating the logs, you want something else to collect that log from the host.

 

 


Mike Saylor:

So if the host is impacted, you're not worried about the logs on the host.

 

 


Mike Saylor:

They've already been sent

 

 


Mike Saylor:

somewhere else, like a SIS log server.

 

 


Mike Saylor:

Um, that, I mean, sis log servers are Kiwi servers, I think they used to be called.

 

 


Mike Saylor:

Uh, you can do some cool stuff with those.

 

 


Mike Saylor:

You can write rules and have 'em, you know, email you or

 

 


Mike Saylor:

paid you back in the day.

 

 


Mike Saylor:

Uh, but good, better, best, best would be let's have all the.

 

 


Mike Saylor:

the.

 

 


Mike Saylor:

The, the good log sources, the good data sources, let's ingest those into

 

 


Mike Saylor:

a true sim like security incident,

 

 


Mike Saylor:

event management platform that can run analytics 24 hours a day and do some

 

 


Mike Saylor:

better, cooler, more effective stuff, while also giving us good visibility

 

 


Mike Saylor:

across the environment, both east and west and, you know, uh, within the environment,

 

 


Mike Saylor:

north, south, in and out of the

 

 


Mike Saylor:

environment.

 

 


Mike Saylor:

W. Curtis Preston: and also by doing that, you.

 

 


Mike Saylor:

Um, you know, if you, if you did it right, I would think you would also provide a

 

 


Mike Saylor:

separation so that those logs are not as easily accessible by the bad guys, right.

 

 


Mike Saylor:

Um, right.

 

 


Mike Saylor:

having having them all in one place.

 

 


Mike Saylor:

I like the idea of having a, a Sims o tool.

 

 


Mike Saylor:

Look at it, um, and look at these logs on a regular basis to say, Hey,

 

 


Mike Saylor:

there's something going on here.

 

 


Mike Saylor:

You might want to take a look.

 

 


Mike Saylor:

Right.

 

 


Mike Saylor:

It'd be nice to be notified of, of something suspicious.

 

 


Mike Saylor:

Um, you know, versus that, and this is, I I think one of the recurring themes that

 

 


Mike Saylor:

we're we're going here is there are things that you really need to do in advance.

 

 


Mike Saylor:

So, you know, la last call we talked about assume breach, right?

 

 


Mike Saylor:

At some point you're going to be breached.

 

 


Mike Saylor:

You need to be prepared for that.

 

 


Mike Saylor:

And so one of the things that we're talking about is be prepared to do

 

 


Mike Saylor:

forensic images, be but be prepared, uh, to, to separate these logs, right?

 

 


Mike Saylor:

You know, like you talked about, like having a Syslog server,

 

 


Mike Saylor:

having a centralized log.

 

 


Mike Saylor:

Uh, management system.

 

 


Mike Saylor:

And then I do like the idea of, of that, you know, the best would be putting

 

 


Mike Saylor:

that into an actual, uh, like a sim sort tool that's gonna actually analyze that.

 

 


Mike Saylor:

Um.

 

 


Mike Saylor:

So let's go back to the, to the, to the, to the imaging.

 

 


Mike Saylor:

I, I, I completely agree with you that the tool, many of the tools, they're

 

 


Mike Saylor:

using the same techniques that we used back in the day to do what we used

 

 


Mike Saylor:

to call bare metal recovery, right.

 

 


Mike Saylor:

Um, a hundred years ago, before everything was virtualized, the idea

 

 


Mike Saylor:

of being able to restore a server from bare metal was a thing that we tried

 

 


Mike Saylor:

to do, uh, and that required an image.

 

 


Mike Saylor:

Right.

 

 


Mike Saylor:

That's when we talk about forensic imaging, all we're talking about

 

 


Mike Saylor:

essentially is, you know, an image that's typically a, a level

 

 


Mike Saylor:

below the file system, right?

 

 


Mike Saylor:

This isn't just a, a file system backup, which is generally all we take now.

 

 


Mike Saylor:

Uh, well, I'll, I'll back that up.

 

 


Mike Saylor:

In the virtualized world, we also take, um, images, we, we've, we've figured out

 

 


Mike Saylor:

how to do backups at the image level.

 

 


Mike Saylor:

While being able to do file level recovery, which is a beautiful thing.

 

 


Mike Saylor:

Right.

 

 


Mike Saylor:

Um, and so I would think that having this is yet another advantage of having

 

 


Mike Saylor:

a fully virtualized environment is forensic imaging, I think is a lot easier

 

 


Mike Saylor:

to do in the, in the virtual world.

 

 


Mike Saylor:

Um, what are the, some of the tools that you run into out there are, there are,

 

 


Mike Saylor:

are there really common ones that you see or is it just all over the board?

 

 


Mike Saylor:

So there's, there are common ones depending on what

 

 


Mike Saylor:

the, um, the source device is.

 

 


Mike Saylor:

W. Curtis Preston: Right.

 

 


Mike Saylor:

So if you're talking and, and really today there's, there's

 

 


Mike Saylor:

two, there's two forensic disciplines.

 

 


Mike Saylor:

There's traditional forensics, which really continues to follow

 

 


Mike Saylor:

and is very rigid on forensic, um, process and principles.

 

 


Mike Saylor:

Like you, you don't touch the data.

 

 


Mike Saylor:

If it's off, you leave it off.

 

 


Mike Saylor:

If it's on you leave it on,

 

 


Mike Saylor:

um, you handle it in a certain way.

 

 


Mike Saylor:

W. Curtis Preston: And, and that's pro, sorry to interrupt you, but

 

 


Mike Saylor:

that's probably more focused on like lawsuits and things like that, right?

 

 


Mike Saylor:

Is that, am I correct that particular discipline?

 

 


Mike Saylor:

It, it well that, that discipline is focused on traditional

 

 


Mike Saylor:

computers like laptop servers,

 

 


Mike Saylor:

workstations, things that have hard drives,

 

 


Mike Saylor:

W. Curtis Preston: Okay.

 

 


Mike Saylor:

and Linux, Unix,

 

 


Mike Saylor:

Mac and Windows operating systems.

 

 


Mike Saylor:

Um.

 

 


Mike Saylor:

So that, that, that traditional forensics, the, the procedures that

 

 


Mike Saylor:

you follow are possible because of that traditional hardware.

 

 


Mike Saylor:

When you, when you compare that then to a mobile device like an iPhone, you cannot

 

 


Mike Saylor:

image an iPhone when it's turned off.

 

 


Mike Saylor:

You cannot image an iPhone in some cases by itself, iPhones and some, some of

 

 


Mike Saylor:

these mobile devices, smartphones, they have to be mounted in order to be imaged.

 

 


Mike Saylor:

Well, you've already violated the traditional forensic principles

 

 


Mike Saylor:

of do not modify the data.

 

 


Mike Saylor:

Well, I've just mount You had to mount it in order to, to get access to the device.

 

 


Mike Saylor:

So a lot of, when, when mobile forensics first came out years

 

 


Mike Saylor:

ago, the, the discipline, it was, uh, it was, it was, uh.

 

 


Mike Saylor:

Argued very heavily that it shouldn't be called forensics because it doesn't

 

 


Mike Saylor:

follow the traditional forensic

 

 


Mike Saylor:

W. Curtis Preston: Oh, interesting.

 

 


Mike Saylor:

Um, however, going back to best evidence when mobile

 

 


Mike Saylor:

data made its way to court.

 

 


Mike Saylor:

And opposing counsel started to argue, well, it didn't

 

 


Mike Saylor:

follow forensics principles.

 

 


Mike Saylor:

We were able then to fall back to, well, best evidence, this is the only

 

 


Mike Saylor:

way to get data out of this phone.

 

 


Mike Saylor:

And so the what you, what you do to make up the difference is good note taking.

 

 


Mike Saylor:

I did this on this data time, so when you see that in the mobile device

 

 


Mike Saylor:

evidence, you know, that was me and I was diligent in taking those notes.

 

 


Mike Saylor:

So, to, to answer your question.

 

 


Mike Saylor:

Traditional forensics has its own tool set, and there are

 

 


Mike Saylor:

industry leaders, uh, access data.

 

 


Mike Saylor:

Uh, I can't remember the name of their company.

 

 


Mike Saylor:

It was just acquired, uh, maybe in the last year or two.

 

 


Mike Saylor:

Uh, but Access Data was the name of the company, and the product was

 

 


Mike Saylor:

called Forensics Toolkit or FTK.

 

 


Mike Saylor:

And FTK was most heavily used by law enforcement because of the, of

 

 


Mike Saylor:

the, of Access data's willingness to customize and let them do things

 

 


Mike Saylor:

that they needed to do to support, you know, law enforcement activities.

 

 


Mike Saylor:

Well, that

 

 


Prasanna Malaiyandi:

comp, oh, sorry.

 

 


Prasanna Malaiyandi:

I was just gonna chime in, Mike, that that company is now owned by Xero,

 

 


Mike Saylor:

ero Yep.

 

 


Mike Saylor:

Prasanna Malaiyandi: which does e-discovery.

 

 


Mike Saylor:

And, and that was a, a brilliant move on their part.

 

 


Mike Saylor:

Uh, the other competitor is, is guidance software and they make, um, their

 

 


Mike Saylor:

own, um, their own forensics tools.

 

 


Mike Saylor:

Uh, and interestingly enough, uh, guidance software is most heavily used by law firms

 

 


Mike Saylor:

and, uh, legal, uh, legal specializations.

 

 


Mike Saylor:

And even though.

 

 


Mike Saylor:

FTK is more heavily deployed around the world.

 

 


Mike Saylor:

Uh, guidance is the one that set the standard for how forensic imaging,

 

 


Mike Saylor:

uh, formats, uh, were, were expected.

 

 


Mike Saylor:

They call it the EO one format.

 

 


Mike Saylor:

Um.

 

 


Mike Saylor:

And, and guidance software's, tools called nk, E-N-C-A-S-E.

 

 


Mike Saylor:

And so NK or, or, and that's where the e comes from in the, in the,

 

 


Mike Saylor:

in the file extension, EO one.

 

 


Mike Saylor:

But most forensic software today, the imagers will, you, you've

 

 


Mike Saylor:

got the option to, to select what format you want your image in.

 

 


Mike Saylor:

It could be dd, it could be raw, it could be E oh one.

 

 


Mike Saylor:

Uh, and then on the flip side of that, so I could, I could make an image with FTK.

 

 


Mike Saylor:

And not have a problem importing and analyzing that image in NK,

 

 


Mike Saylor:

as an example, or vice versa.

 

 


Mike Saylor:

So that's traditional.

 

 


Mike Saylor:

Well, then you get to mobile forensics and the, the, the, the field of, of

 

 


Mike Saylor:

vendors and tools out there just blew up.

 

 


Mike Saylor:

There's, you know, black bag and oxygen and paraben and

 

 


Mike Saylor:

cellebrite, which you probably

 

 


Mike Saylor:

hear a lot.

 

 


Prasanna Malaiyandi:

Yeah.

 

 


Mike Saylor:

As far as getting into stuff, and they're, they're probably on the

 

 


Mike Saylor:

leading edge of, of, uh, mobile forensics.

 

 


Mike Saylor:

Um, they're, they're always able to do whatever the next best thing is,

 

 


Mike Saylor:

uh, and all of these things.

 

 


Mike Saylor:

Now, traditional forensics, the pricing is pretty similar.

 

 


Mike Saylor:

The licensing models are pretty similar when you get into mobile forensics.

 

 


Mike Saylor:

It can be very specific.

 

 


Mike Saylor:

Like I just want a tool that tells me that extracts all the chat messages and media.

 

 


Mike Saylor:

That's all I want.

 

 


Mike Saylor:

Very low cost, but that's all it does.

 

 


Mike Saylor:

Then you've got tools that, like Cellebrite that run the gamut

 

 


Mike Saylor:

and they have access to every phone, all the way back to the,

 

 


Mike Saylor:

the car phones of the eighties.

 

 


Mike Saylor:

Uh, and, and, and other stuff like, I need data out of a Nest thermostat

 

 


Mike Saylor:

or a wireless, uh, microwave.

 

 


Mike Saylor:

You know, there's it, the, the,

 

 


Mike Saylor:

scope.

 

 


Mike Saylor:

Capabilities, uh, vary widely as well as the the price and licensing.

 

 


Mike Saylor:

W. Curtis Preston: Yeah, I know my employer uses Cellebrite quite a bit.

 

 


Mike Saylor:

when, when when grabbing, uh, images from phones.

 

 


Mike Saylor:

Um.

 

 


Mike Saylor:

you can, you can get trained and certified in, in all

 

 


Mike Saylor:

of those tools like paraben and Cellebrite, uh, certified in that thing.

 

 


Mike Saylor:

Um, but much like other disciplines in it, you kind of become a one trick pony.

 

 


Mike Saylor:

Like that's all I can do.

 

 


Mike Saylor:

Uh, and the same with traditional forensics.

 

 


Mike Saylor:

They have certifications for that.

 

 


Mike Saylor:

Um, but to become a general forensics practitioner, man, it's, it's

 

 


Mike Saylor:

like, uh, it, it's like a lot of different, um, like trades type

 

 


Prasanna Malaiyandi:

Yes,

 

 


Prasanna Malaiyandi:

W. Curtis Preston: Yeah,

 

 


Mike Saylor:

job.

 

 


Mike Saylor:

You've just gotta, you've gotta live it for

 

 


Mike Saylor:

a period of time to

 

 


Mike Saylor:

really.

 

 


Prasanna Malaiyandi:

so basically people like me who get all their

 

 


Prasanna Malaiyandi:

knowledge from YouTube will not succeed in doing forensics.

 

 


Prasanna Malaiyandi:

W. Curtis Preston: You might succeed, but you might have trouble if

 

 


Prasanna Malaiyandi:

you're in some sort of court of law.

 

 


Prasanna Malaiyandi:

Right.

 

 


Prasanna Malaiyandi:

Um.

 

 


Mike Saylor:

A YouTube video long enough to to give you the

 

 


Mike Saylor:

exposure you need for just one

 

 


Mike Saylor:

W. Curtis Preston: Yeah, so, so it sounds like, you know, like, like the

 

 


Mike Saylor:

other things we've been talking about, this is yet another discipline where.

 

 


Mike Saylor:

If you're in the midst of the fire, this is why going back to the previous

 

 


Mike Saylor:

episode, you need to, in advance of the fire, get a relationship with a company,

 

 


Mike Saylor:

perhaps via your cyber insurance carrier.

 

 


Mike Saylor:

Get a relationship with a company that does know this stuff cold so

 

 


Mike Saylor:

that they know how, they know what they need to take an image of.

 

 


Mike Saylor:

They know how to take that image and they, they know how to do it in such a

 

 


Mike Saylor:

way that they get the evidence that they need, uh, without changing the evidence.

 

 


Mike Saylor:

And they also know how to manipulate and look at that evidence without,

 

 


Mike Saylor:

uh, you know, making the fire worse.

 

 


Mike Saylor:

Um, does that sound

 

 


Mike Saylor:

like a good summary there?

 

 


Mike Saylor:

it

 

 


Mike Saylor:

does.

 

 


Mike Saylor:

And if I could add one more thing that would just enhance the value

 

 


Mike Saylor:

of everything you just said.

 

 


Mike Saylor:

Is every organization needs to sit through what's called a business impact

 

 


Mike Saylor:

analysis and figure out where all those key critical, you know, secret sauce,

 

 


Mike Saylor:

jewels of the company are so that when something bad happens, we know

 

 


Mike Saylor:

what the bad guys are probably after.

 

 


Mike Saylor:

Or at least we know the specifics around all that stuff so that

 

 


Mike Saylor:

we're not having to figure it out on, on, your worst day.

 

 


Mike Saylor:

Um, and then I think there are a couple of things that, that.

 

 


Mike Saylor:

Organizations can document as far as like good first steps in, in helping

 

 


Mike Saylor:

preserve evidence in an incident response.

 

 


Mike Saylor:

Preserving logs are critical.

 

 


Mike Saylor:

Um, but being trained on some forensic acquisition tools like the FTK, uh,

 

 


Mike Saylor:

imager, which is free, and having a maybe a small inventory of extra drives that

 

 


Mike Saylor:

you can, you can preserve evidence to.

 

 


Mike Saylor:

Uh, that stuff, you can write a procedure and it's no different than

 

 


Mike Saylor:

like a backup or recovery procedure.

 

 


Mike Saylor:

It's just do these things and maybe there might be some decision trees here and

 

 


Mike Saylor:

there, but I've written, I've written several, like incident response forensics

 

 


Mike Saylor:

kit procedures and, and toolkits for, for clients around the world so that

 

 


Mike Saylor:

they can preserve that evidence before I,

 

 


Mike Saylor:

before I, you know, it takes me to get there.

 

 


Prasanna Malaiyandi:

was, The last thing you want, right, Mike?

 

 


Prasanna Malaiyandi:

Based on what you said is like an IT person freaking out that this has

 

 


Prasanna Malaiyandi:

hit and being like, oh, I just need to recover my machines and going

 

 


Prasanna Malaiyandi:

and formatting the drives and then

 

 


Prasanna Malaiyandi:

just starting over.

 

 


Prasanna Malaiyandi:

Right.

 

 


Prasanna Malaiyandi:

That's like literally the last thing that you want.

 

 


Mike Saylor:

That's right, because now you don't know how it happened.

 

 


Mike Saylor:

W. Curtis Preston: So I, I like what you're talking about, Mike.

 

 


Mike Saylor:

There's nothing wrong with, with learning some of that stuff,

 

 


Mike Saylor:

learning what you can do to support a forensic team that's coming in.

 

 


Mike Saylor:

I, I, I do wanna just emphasize, learn, right?

 

 


Mike Saylor:

Make sure you're learning it from somebody who says, okay, I.

 

 


Mike Saylor:

We're, we're gonna be your team.

 

 


Mike Saylor:

We're gonna come in.

 

 


Mike Saylor:

Here's what you can learn how to do on your own to support us.

 

 


Mike Saylor:

Right?

 

 


Mike Saylor:

And here's what not to do.

 

 


Mike Saylor:

Right.

 

 


Mike Saylor:

Please don't just go shut all the machines down, for example.

 

 


Mike Saylor:

We want to get it for, you know, we wanna see if we can get an

 

 


Mike Saylor:

image of that memory right.

 

 


Mike Saylor:

Um, because that's, that was what I would think would be the first step is literally

 

 


Mike Saylor:

just going, powering everything off.

 

 


Mike Saylor:

Right.

 

 


Mike Saylor:

It depends.

 

 


Mike Saylor:

If it's, if it's

 

 


Mike Saylor:

ransomware, call the plug.

 

 


Mike Saylor:

W. Curtis Preston: Uh, and so you have those conversations in advance.

 

 


Mike Saylor:

Figure out what it is that you should be doing, uh, to support that team and then

 

 


Mike Saylor:

get that team in as quickly as possible.

 

 


Mike Saylor:

Well, um, uh, I think, I think we beat this topic to death enough.

 

 


Mike Saylor:

Uh, thanks again for, uh, your help, Mike.

 

 


Mike Saylor:

Certainly, and there are, there are some intro courses

 

 


Mike Saylor:

to forensics, uh, that are part of, uh, continuing education programs.

 

 


Mike Saylor:

Uh, or degree programs.

 

 


Mike Saylor:

Uh, I teach, uh, intro to Forensics, uh, and investigations for UT San Antonio.

 

 


Mike Saylor:

Uh, it's a, it's a 700 page textbook.

 

 


Mike Saylor:

Uh, but there, there's some parts of this that are more related to

 

 


Mike Saylor:

law enforcement and criminal justice degrees that we don't focus so much on.

 

 


Mike Saylor:

But it's a great, uh, great insight into some of the elements of

 

 


Mike Saylor:

forensics that are important to know.

 

 


Mike Saylor:

If you do wanna.

 

 


Mike Saylor:

Run a, you know, clone a drive or, or do an image to preserve data

 

 


Mike Saylor:

and, and how that data can be used.

 

 


Mike Saylor:

W. Curtis Preston: I like it.

 

 


Mike Saylor:

Well, thanks, uh, thanks for coming on

 

 


Mike Saylor:

Certainly anytime I.

 

 


Mike Saylor:

W. Curtis Preston: and Prasanna, thanks again for, you know, consoling me

 

 


Mike Saylor:

in the midst of my power attack and also asking great questions as usual.

 

 


Prasanna Malaiyandi:

I try and, yeah, hopefully they realize maybe they

 

 


Prasanna Malaiyandi:

should think about battery backups,

 

 


Prasanna Malaiyandi:

W. Curtis Preston: Well, they had it, it just, it was, the power

 

 


Prasanna Malaiyandi:

outage was long enough that it exceeded the, uh, the backups.

 

 


Prasanna Malaiyandi:

they just need to expand it.

 

 


Mike Saylor:

They didn't consider

 

 


Mike Saylor:

how long of a battery

 

 


Mike Saylor:

they needed.

 

 


Mike Saylor:

W. Curtis Preston: Yeah.

 

 


Mike Saylor:

apparently, apparently longer than four hours.

 

 


Mike Saylor:

Uh, anyway.

 

 


Mike Saylor:

All right.

 

 


Mike Saylor:

Well, thanks to the listeners.

 

 


Mike Saylor:

Uh, we'd be nothing without you.

 

 


Mike Saylor:

That is a wrap.

 

 


Mike Saylor:

The backup wrap up is written, recorded and produced by me w Curtis Preston.

 

 


Mike Saylor:

If you need backup or Dr.

 

 


Mike Saylor:

Consulting content generation or expert witness work,

 

 


Mike Saylor:

check out backup central.com.

 

 


Mike Saylor:

You can also find links from my O'Reilly Books on the same website.

 

 


Mike Saylor:

Remember, this is an independent podcast and any opinions that you

 

 


Mike Saylor:

hear are those of the speaker.

 

 


Mike Saylor:

And not necessarily an employer.

 

 


Mike Saylor:

Thanks for listening.