Artwork for podcast The Backup Wrap-Up
Ransomware Forensics: Preserving Digital Evidence
12th August 2024 • The Backup Wrap-Up • W. Curtis Preston (Mr. Backup)
00:00:00 00:45:10

Share Episode

Transcripts

Speaker:

W. Curtis Preston: You found the backup wrap up your go-to podcast for all things

Speaker:

backup recovery and cyber recovery.

Speaker:

In this episode, we explore the crucial world of ransomware forensics with

Speaker:

cybersecurity expert Mike Saylor.

Speaker:

We cover why forensics is important during a cyber attack, the essential steps and

Speaker:

tools you need to do the job, and we shed light on how organizations can prepare

Speaker:

for and respond to ransomware incidents.

Speaker:

From preserving critical evidence to navigating the complexities of

Speaker:

mobile device forensics, this episode will explain how to use ransomware

Speaker:

forensics to unravel cyber attacks and protect your valuable data.

Speaker:

By the way, if you have no idea who I am, hi, I'm w Curtis Preston, AKA, Mr.

Speaker:

Backup,

Speaker:

and I've been passionate about backup and recovery and related topics ever since.

Speaker:

I had to tell my boss that we had lost the production database

Speaker:

and had no backup for it.

Speaker:

I don't want that to happen to me.

Speaker:

I don't want that to happen to you, and that's why I do this podcast.

Speaker:

Here we turn Unappreciated backup admins into cyber recovery Heroes.

Speaker:

This is the backup wrap up.

Speaker:

Welcome to the show.

Speaker:

Before I continue, if I could ask you to press that subscribe or follow

Speaker:

button so that you'll continue to get.

Speaker:

Our amazing content I am w Curtis Preston, AKA, Mr.

Speaker:

Backup, and I have with me my power loss counselor Prassanna

Speaker:

Malaiyandi, how's it going prasanna.

Prasanna Malaiyandi:

I'm doing well, Curtis, I know you, not so much,

Prasanna Malaiyandi:

but hey, isn't solar and batteries and everything else supposed to

Prasanna Malaiyandi:

solve all these issues for you?

Prasanna Malaiyandi:

W. Curtis Preston: I, I was a, as you know, I've been working on behalf

Prasanna Malaiyandi:

of this one customer and we've been conducting the first ever backup

Prasanna Malaiyandi:

of some really important data.

Prasanna Malaiyandi:

Um, and it's like 500 terabytes of data, and we're down to the, we're kind of down

Prasanna Malaiyandi:

to the, I think the, the, the finish line.

Prasanna Malaiyandi:

And, uh, I had, I'm running a bunch of backups and I had divvied the backups up

Prasanna Malaiyandi:

into thousands of little policies because for many, many reasons, and some of those

Prasanna Malaiyandi:

policies were still, even though they were backing up, only a single sub, sub

Prasanna Malaiyandi:

subdirectory, they've been running for like 10 days when I lost power yesterday.

Prasanna Malaiyandi:

When the customer lost power

Prasanna Malaiyandi:

Ouch.

Prasanna Malaiyandi:

W. Curtis Preston: rebooting And there is no

Prasanna Malaiyandi:

my question for you

Prasanna Malaiyandi:

is why is there no resume functionality for.

Prasanna Malaiyandi:

W. Curtis Preston: there is in uh, so in this particular

Prasanna Malaiyandi:

customer, we're using that backup.

Prasanna Malaiyandi:

There is a resume functionality in that backup, but not for SMB.

Prasanna Malaiyandi:

Our network based backup.

Prasanna Malaiyandi:

So we're doing, we're backing up over s and b.

Prasanna Malaiyandi:

Um, we, we tried s and b and NFS, uh, we're backing up over s and b

Prasanna Malaiyandi:

and there's no resume functionality.

Prasanna Malaiyandi:

So I will start over.

Prasanna Malaiyandi:

Um, and we will have lost 10 days and this backup that is taking forever.

Prasanna Malaiyandi:

Good times.

Prasanna Malaiyandi:

Prasanna Malaiyandi: I am sorry Curtis, but

Prasanna Malaiyandi:

in,

Prasanna Malaiyandi:

W. Curtis Preston: That's all.

Prasanna Malaiyandi:

That's all I needed to hear.

Prasanna Malaiyandi:

Prasanna was somebody.

Prasanna Malaiyandi:

Say there.

Prasanna Malaiyandi:

Sorry.

Prasanna Malaiyandi:

Oh, goodness gracious.

Prasanna Malaiyandi:

But as I told you this morning, when I texted you, at least I found out

Prasanna Malaiyandi:

that the reboot that was not my fault

Prasanna Malaiyandi:

Yes, it was not the server randomly

Prasanna Malaiyandi:

W. Curtis Preston: was not, the server was not,

Prasanna Malaiyandi:

yeah.

Prasanna Malaiyandi:

oh, I'll, I asked you first it was like, was it CrowdStrike?

Prasanna Malaiyandi:

W. Curtis Preston: Yeah.

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

was not, it was not CrowdStrike.

Prasanna Malaiyandi:

It is a window server, but it was not CrowdStrike.

Prasanna Malaiyandi:

Uh, CrowdStrike is not running on the server.

Prasanna Malaiyandi:

I did check that, by the way.

Prasanna Malaiyandi:

But, uh, anyway, but speaking of the cyber world, we once again have

Prasanna Malaiyandi:

our friend of the pod, Mike Sailor, uh, uh, joining with us today.

Prasanna Malaiyandi:

How's it going, Mike?

Mike Saylor:

Afternoon, I'm well.

Mike Saylor:

W. Curtis Preston: So, uh, we're gonna, and, and for those of you

Mike Saylor:

that follow the show, you're gonna see a lot of mike, uh, over the next

Mike Saylor:

little bit, uh, because we're diving deep, diving deep into the world of

Mike Saylor:

responding to a ransomware attack.

Mike Saylor:

And today we're gonna talk about the forensics phase.

Mike Saylor:

So, uh, Mike.

Mike Saylor:

What, what do we mean when we say that?

Mike Saylor:

Why would we be doing forensics in the middle of a cyber attack?

Mike Saylor:

Well, uh, it's a great way to collect evidence in a, in a

Mike Saylor:

safe, uh, controlled environment.

Mike Saylor:

And so forensics creates a read-only image of, of your target.

Mike Saylor:

So whether it's a whole machine or a particular file or object, uh.

Mike Saylor:

We create an image of that that's read only so we can play with it

Mike Saylor:

and look at it and not have to worry about it executing more malware

Mike Saylor:

or trying to do what malware does.

Mike Saylor:

But, so there's one thing.

Mike Saylor:

So some, some safe analysis.

Mike Saylor:

We can build a sandbox.

Mike Saylor:

The other part of that is, uh, in that analysis, we, we can learn things about,

Mike Saylor:

um, you know, particular, uh, artifact.

Mike Saylor:

So if it's malware, uh.

Mike Saylor:

Uh, is there any metadata that would indicate, you know, the type

Mike Saylor:

of malware where it came from?

Mike Saylor:

Uh, is the signature or hash value of this malware similar to other, um,

Mike Saylor:

other cases using the same malware?

Mike Saylor:

But then if we expand that from just that object or artifact into the, like

Mike Saylor:

an entire system, uh, forensically without having to change, so.

Mike Saylor:

I guess fundamentally I'll add, uh, forensics allows us to interact

Mike Saylor:

with, with evidence without changing any of that metadata.

Mike Saylor:

So if you log into a machine to review what happened to this machine, you're

Mike Saylor:

also changing data in the machine.

Mike Saylor:

You're, you're, you're, you're stepping on evidence potentially,

Mike Saylor:

or changing.

Mike Saylor:

W. Curtis Preston: what's the, there, there's a thing in science, the

Mike Saylor:

observational effect for something.

Mike Saylor:

There's a, there's a word for that.

Mike Saylor:

Yep.

Mike Saylor:

So once you interact with, with

Mike Saylor:

it, it changes,

Mike Saylor:

Right.

Mike Saylor:

So observation, simple observation.

Mike Saylor:

Sometimes, uh, uh, muddies the water.

Mike Saylor:

So creating forensic image of, of whatever it is, allows you to play

Mike Saylor:

with it and, and interact with it without changing the fundamental

Mike Saylor:

evidence of any attributes or metadata.

Mike Saylor:

It.

Mike Saylor:

So if I, if if a machine as an example, uh, since we're talking about incident

Mike Saylor:

response, if a machine is infected or, or we suggest something or we suspect

Mike Saylor:

something happened, compromised, uh, employee downloaded a bunch of data on

Mike Saylor:

their last day, whatever, whatever our suspicion is that led us to this machine,

Mike Saylor:

if we do a forensic image of that, a couple of things, uh, are important,

Mike Saylor:

uh, about that one, we can review all that stuff without changing anything.

Mike Saylor:

So if we.

Mike Saylor:

If we need to hand it over to legal counsel or it goes to court

Mike Saylor:

prosecution, any of that stuff.

Mike Saylor:

It, it is in the state.

Mike Saylor:

It was, uh, whenever that event happened.

Mike Saylor:

The other thing that allows us to do is determine attributes

Mike Saylor:

of certain activities.

Mike Saylor:

So if it's malware, ransomware, as an example, how did it get on this machine?

Mike Saylor:

What did the log files say?

Mike Saylor:

What is the, uh.

Mike Saylor:

What network was it on?

Mike Saylor:

Was it attached to a wifi?

Mike Saylor:

Where did it go?

Mike Saylor:

What connections did it make from this machine to other machines?

Mike Saylor:

There's a lot of good stuff, uh, that you're able to dig into.

Mike Saylor:

Uh, if you have the right tools and you know where to look.

Prasanna Malaiyandi:

So when you say forensic image, what exactly do you mean?

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

Is it just like, 'cause I know we've talked, especially on this

Prasanna Malaiyandi:

podcast previously about like snapshots and backups and everything

Prasanna Malaiyandi:

else, but that's sort of like copying the data out sometimes.

Prasanna Malaiyandi:

Like if you're doing an image-based copy.

Prasanna Malaiyandi:

Of like a virtual machine, you get a virt, uh, duplicate

Prasanna Malaiyandi:

copy of that virtual machine.

Prasanna Malaiyandi:

Is there something different when you talk about forensic image that

Prasanna Malaiyandi:

goes beyond just sort of taking a copy of like a virtual machine?

Mike Saylor:

There's a couple of things that, that make the term

Mike Saylor:

forensic imaging a little different.

Mike Saylor:

One forensic, the forensic part of that term is really just the

Mike Saylor:

discipline, understanding how to approach and, and conduct, uh, a

Mike Saylor:

forensic imaging, um, in a, in that, in that approved manner, you've got

Mike Saylor:

a formal

Prasanna Malaiyandi:

you don't change things right, like you

Prasanna Malaiyandi:

were talking about previously.

Mike Saylor:

It's consistent.

Mike Saylor:

So if it goes to court as a forensic expert, I can say I did this the

Mike Saylor:

way that I've done all of them.

Mike Saylor:

And there's this documented formal process that's, you know, approved and

Mike Saylor:

and known by industry and accepted in court cases and that kind of thing.

Mike Saylor:

So there's the discipline of forensics that lends itself

Mike Saylor:

to the forensic imaging term.

Mike Saylor:

Uh, more specifically it's called forensic acquisition.

Mike Saylor:

Uh, so we're acquiring the data and the way that we're acquiring

Mike Saylor:

it is through a forensic.

Mike Saylor:

Least sound imaging process.

Mike Saylor:

Now, another, another term, uh, that, and, and this goes back to just normal, like

Mike Saylor:

investigative processes is best evidence.

Mike Saylor:

And so for example, if, if, uh, I'm working on a MacBook Pro that's

Mike Saylor:

got a, an integrated storage DR.

Mike Saylor:

Drive and it's encrypted and there's just, they.

Mike Saylor:

And I, and I'm time constrained or resource constrained, or the

Mike Saylor:

building's on fire or whatever it is, I'm not gonna be able to do a a, a

Mike Saylor:

sound forensic image of that laptop.

Mike Saylor:

What would be better and more timely and possibly as valuable?

Mike Saylor:

Best evidence would be an iTunes backup.

Prasanna Malaiyandi:

Hmm.

Mike Saylor:

Let's do an iTunes backup before this building burns down, and I run

Mike Saylor:

outta time, and that is the best evidence I had the ability to get at that moment.

Mike Saylor:

You mentioned snapshots or even other backups?

Mike Saylor:

Um, we, we, back in the day when, when we were doing a lot of email forensics,

Mike Saylor:

we were, we would do two, we would do the local PST file and then the, the

Mike Saylor:

backup, uh, from the exchange server.

Mike Saylor:

W. Curtis Preston: Yeah.

Mike Saylor:

there's, those are good evidence, one or the other.

Mike Saylor:

W. Curtis Preston: It probably falls, uh, Mike, it probably falls in, you

Mike Saylor:

know, a lot of stuff we talk about here.

Mike Saylor:

We talk about good, better, best, right?

Mike Saylor:

So, you know, good, you know, not good is nothing.

Mike Saylor:

Right.

Mike Saylor:

Good is something right.

Mike Saylor:

So like, you know, said like the PST files, uh, maybe an iTunes backup, maybe

Mike Saylor:

any kind of backup that would help prove the, the whatever it is, the thing that

Mike Saylor:

you're trying to prove or investigate the thing you're trying to investigate.

Mike Saylor:

The next level, I would think would be an image of the hard drive, like

Mike Saylor:

a full image of the hard drive.

Mike Saylor:

The next level beyond that would be the full image of the hard drive plus.

Mike Saylor:

The, the image of the memory at the time of the system running right.

Mike Saylor:

Um,

Mike Saylor:

And

Mike Saylor:

so that, that discipline, that discipline lends itself to your

Mike Saylor:

understanding as a forensics expert of, of how to approach this situation.

Mike Saylor:

If the computer's on, yeah, I can do a memory dump of that if it's

Mike Saylor:

not on, well, it's not even probable

Mike Saylor:

unless, you know, the virtual, the, uh, like the, the drive, uh, storage

Mike Saylor:

drive cache, uh, but also understanding the, the fundamentals of the device.

Mike Saylor:

Your, your target is, I mean, is it a.

Mike Saylor:

Can I take the hard drive out of this?

Mike Saylor:

Is it sd?

Mike Saylor:

Is it, you know, mechanical?

Mike Saylor:

Is it flash, is it integrated?

Mike Saylor:

Um, all of those things are important.

Mike Saylor:

Uh, one thing I'll just add real quick to best e evidence, it's also, uh, and

Mike Saylor:

I, I alluded to this in my example of the, the house is on fire, what have

Mike Saylor:

you, but it's also, uh, logistics.

Mike Saylor:

So if, if, if the, if the case is in, you know, in Europe.

Mike Saylor:

The likelihood that we're gonna timely be able to get a forensic image of

Mike Saylor:

that device is, uh, is pretty limited.

Mike Saylor:

You know, they, we, I've either gotta send somebody there or

Mike Saylor:

they've gotta ship it to me.

Mike Saylor:

Uh, and in both cases you've got some logistics.

Mike Saylor:

So if it's a virtual environment, just take a snapshot, upload it through

Mike Saylor:

a cloud, make it available to me, I can pull it down or work on it.

Mike Saylor:

Um, and so those are also acceptable alternatives.

Mike Saylor:

W. Curtis Preston: don't, those don't, those snapshots in a virtual

Mike Saylor:

environment that they usually contain, uh, the memory image, right.

Mike Saylor:

From the virtual environment,

Mike Saylor:

they typically do your

Mike Saylor:

W. Curtis Preston: Yeah.

Mike Saylor:

Yeah.

Mike Saylor:

Yep.

Mike Saylor:

Yep.

Prasanna Malaiyandi:

So as you're describing all of this, Mike, I was

Prasanna Malaiyandi:

just thinking this is something that's like way outside the scope of like

Prasanna Malaiyandi:

what a normal IT person does, right?

Prasanna Malaiyandi:

Just even thinking about like how do I even approach this?

Prasanna Malaiyandi:

Maybe you might get some of this from like the secure, like a security person,

Prasanna Malaiyandi:

but just like an IT generalist probably.

Prasanna Malaiyandi:

Isn't thinking about things in this way, right?

Prasanna Malaiyandi:

They're probably thinking about how do I quickly recover my

Prasanna Malaiyandi:

machine if it was down right?

Prasanna Malaiyandi:

How do I get people back up and running?

Prasanna Malaiyandi:

Not necessarily how do I preserve evidence to figure out what went on?

Mike Saylor:

Yep.

Mike Saylor:

And it's, uh, I, I've seen it implemented just as normal standard

Mike Saylor:

operating procedure in some, some environments, uh, where every

Mike Saylor:

employee that leaves, they do an image

Mike Saylor:

of that laptop so that they can preserve that.

Mike Saylor:

They then they, uh, rebuild the machine and put it out.

Mike Saylor:

Uh, redistribute it.

Mike Saylor:

Uh, so that if, and that, and that's, uh, for, for it to become more efficient.

Mike Saylor:

So they're not, they don't have this, this laptop on a shelf somewhere for some,

Mike Saylor:

you know, 34, 5 days until management decides they don't need anything.

Mike Saylor:

The day that they, they separate, they get that laptop back, they

Mike Saylor:

image it takes a couple of hours, uh, they're then able to rebuild it.

Mike Saylor:

So by the end of the same day, they're able to re redistribute that image

Mike Saylor:

or that that laptop and then preserve that image on, on a server somewhere.

Mike Saylor:

In case it's needed in the future.

Mike Saylor:

W. Curtis Preston: Yeah, it's, it's a very different.

Mike Saylor:

Um, like, like you said, broan, it's a very different discipline than

Mike Saylor:

backup and recovery, even though it's kind of a backup, it's just a backup

Mike Saylor:

done for a very different purpose.

Mike Saylor:

It's just like archive.

Mike Saylor:

Archive is kind of like a backup but done for a very different purpose.

Mike Saylor:

Right.

Mike Saylor:

This is, this is kind of like an archive.

Mike Saylor:

'cause you're, you're basically making a one time copy of the drive,

Mike Saylor:

um, for the, for the purposes of.

Mike Saylor:

Other things, you're not doing it generally, you're not doing it.

Mike Saylor:

Um, that the, the departing employee defense thing, uh, Mike, maybe one

Mike Saylor:

of those where there's dual purposes, you may need that image later

Mike Saylor:

because you accuse the, the, the, um, the employee of doing something.

Mike Saylor:

You may need that image later when you find out, oh crap.

Mike Saylor:

The, uh,

Prasanna Malaiyandi:

They had a file.

Prasanna Malaiyandi:

W. Curtis Preston: he was the only guy working on the empty squad

Prasanna Malaiyandi:

project, and it's only on its laptop.

Prasanna Malaiyandi:

Well, first off, that was an it fail, but.

Prasanna Malaiyandi:

That may be a reason to use your use, use your forensic image for something else.

Prasanna Malaiyandi:

But in this case, primarily what we're talking about, right, is we're

Prasanna Malaiyandi:

in the midst of a cyber attack.

Prasanna Malaiyandi:

We're going to get, you know, I, I like your term best evidence.

Prasanna Malaiyandi:

We're gonna get the best copy that we can of the environment that we believe is,

Prasanna Malaiyandi:

is, uh, subject to this attack so that we can use that for multiple purposes.

Prasanna Malaiyandi:

You talked about.

Prasanna Malaiyandi:

I like that first one.

Prasanna Malaiyandi:

You talked about taking that image and putting it into, when you first said it,

Prasanna Malaiyandi:

I, I didn't understand what you meant.

Prasanna Malaiyandi:

You said you, you said something like, it allows you to interact

Prasanna Malaiyandi:

with it in a, in a safe environment or a controlled environment.

Prasanna Malaiyandi:

I was like, whatcha talking about controlled environment?

Prasanna Malaiyandi:

We're in the midst of a cyber attack here.

Prasanna Malaiyandi:

But you're talking about taking that image and moving it to a different

Prasanna Malaiyandi:

environment where you have more control over the, over, over, the network.

Prasanna Malaiyandi:

Is that that what you meant?

Mike Saylor:

OO over the, over the image that you're,

Mike Saylor:

you're playing with.

Mike Saylor:

But, but forensics tools also allow you to, to rebuild an environment.

Mike Saylor:

So if I image.

Mike Saylor:

You know, four net networked PCs, then I can, I can load all of those

Mike Saylor:

images into one case in my forensics tool and view all of the data across

Mike Saylor:

all of those images concurrently.

Mike Saylor:

I don't have to treat them as individually.

Mike Saylor:

It becomes one big data set.

Mike Saylor:

And the other thing I'll add too is that, um, you know, fundamentally, uh.

Mike Saylor:

And that is consistent today.

Mike Saylor:

Even the, some of the tools that forensics, uh, practitioners use

Mike Saylor:

are, uh, the, the fundamental capabilities are based on traditional

Mike Saylor:

system tools like DD and the Linux

Mike Saylor:

Unix environment, uh, ghost and, and SIS tools in the Windows environment.

Mike Saylor:

I mean, that's, those are tools we used, you know, 20 years ago to to do imaging.

Mike Saylor:

Um, and then today, so today a lot of the forensics imaging tools,

Mike Saylor:

some of them are available free, uh, because they want you to then use

Mike Saylor:

their, their expensive analysis tool.

Mike Saylor:

Um, but to your point about, uh, the, the normal IT or ops person not being familiar

Mike Saylor:

with forensics, I think they are, again, to your comment about the, from the, from

Mike Saylor:

a backup perspective or cloning or a.

Mike Saylor:

Uh, you know, imaging, you know, I, I've, I've created a, i, I

Mike Saylor:

built a laptop and this is the way I want all my laptops to be.

Mike Saylor:

So I made this golden image, but then I'm gonna apply on every laptop we build

Mike Saylor:

and distribute same, same principle and some of the same fundamental tools.

Mike Saylor:

Um,

Mike Saylor:

W. Curtis Preston: I like,

Mike Saylor:

I think.

Mike Saylor:

W. Curtis Preston: I like the comment that you talked about and you, you

Mike Saylor:

reminded me because when you make that forensic image with some exceptions,

Mike Saylor:

that that image is really just an image of a hard drive that can be mounted and

Mike Saylor:

accessed without actually running the operating system of that hard drive.

Mike Saylor:

So if you can get.

Mike Saylor:

You know, obviously if it's encrypted, if it, you know, there's some scenarios

Mike Saylor:

where this doesn't work, but in many cases you're talking about putting

Mike Saylor:

those forensic images into a case in a forensic, uh, what would you call that?

Mike Saylor:

A discovery tool?

Mike Saylor:

What would you call it?

Mike Saylor:

Forensic analysis tool, right?

Mike Saylor:

Processing and analysis are

Mike Saylor:

the next couple of.

Mike Saylor:

W. Curtis Preston: And you can interact with those images and you can look at

Mike Saylor:

the files that are on those images.

Mike Saylor:

Without actually doing further risk by actually running those

Mike Saylor:

images as a, as a machine.

Prasanna Malaiyandi:

Or I think in addition, you could also, like,

Prasanna Malaiyandi:

uh, Mike was saying you could run those images if you wanted to

Prasanna Malaiyandi:

say, for instance, understand the interactions between those four network

Prasanna Malaiyandi:

W. Curtis Preston: You Yeah.

Prasanna Malaiyandi:

talking about in a

Prasanna Malaiyandi:

safe manner, right?

Prasanna Malaiyandi:

W. Curtis Preston: yeah, you,

Prasanna Malaiyandi:

can.

Prasanna Malaiyandi:

I'm just saying you don't have to necessarily, depending

Prasanna Malaiyandi:

on what you're, uh, and it

Prasanna Malaiyandi:

Trying to accomplish,

Prasanna Malaiyandi:

W. Curtis Preston: occur to me until he was talking about putting them in

Prasanna Malaiyandi:

a case in that, um, analysis tool.

Mike Saylor:

So imagine, imagine as an IT ops person, uh, you've got an issue

Mike Saylor:

with a, uh, a workstation and you've gotta go and, and interact with this.

Mike Saylor:

But be careful not to change anything while you're also searching for whatever

Mike Saylor:

it might be, a hash value, uh, reviewing logs to determine what happened in a

Mike Saylor:

period of time, uh, and then correlating those log entries to well, alright,

Mike Saylor:

so this, the log says this happened.

Mike Saylor:

Now let me go look in the, in all the file structure and do some, you know, power

Mike Saylor:

shell or whatever searches you're gonna do to see what correlates to that log entry.

Mike Saylor:

Imagine how much time that would take you

Mike Saylor:

W. Curtis Preston: Right.

Mike Saylor:

with forensics, I'm just going to image the whole machine and,

Mike Saylor:

and one thing I'll make clear too, there are different types of forensic imaging.

Mike Saylor:

There is whole disc imaging.

Mike Saylor:

And then there's targeted imaging.

Mike Saylor:

So maybe, uh, and this is important in like cloud and, and multi-tenant

Mike Saylor:

environments where I just want one VM or one piece of the vm because that's

Mike Saylor:

what my, my warrant allows me, or the scope of my investigation allows me.

Mike Saylor:

I can't go outside of that or shouldn't, but if, uh, if I do a,

Mike Saylor:

a bit for bit, you know, first bit to last bit physical image of a, of

Mike Saylor:

a drive or a of a, of a device, I.

Mike Saylor:

Um, the next step in forensics, uh, the forensics process is processing.

Mike Saylor:

It's also called indexing.

Mike Saylor:

So I'm using my forensic software to analyze every bit of data from start

Mike Saylor:

to finish, even the empty space.

Mike Saylor:

And it indexes that into, well, it creates an index.

Mike Saylor:

So for example, in, in my forensics tool, if I'm looking for the

Mike Saylor:

occurrence of the word apple.

Mike Saylor:

As I type the word apple, my results automatically in real time updates.

Mike Saylor:

So when I type the letter A, I've got 7 million results, and as I finish typing

Mike Saylor:

that word, it tells me specific to Apple, not just how many occurrences,

Mike Saylor:

but where in the entire dataset.

Mike Saylor:

I could have one computer, I could have a hundred, as long as they're

Mike Saylor:

part of the same case, it will give me results across all of the different

Mike Saylor:

data sets that I selected That.

Mike Saylor:

Query to hit, and then I can apply more, uh, criteria like, uh, the word

Mike Saylor:

apple specific to metadata related to a specific SID uh, or user, uh, within a

Mike Saylor:

period of time on a particular piece of evidence related to some other attribute.

Mike Saylor:

And so now you can see the power of that in real time.

Mike Saylor:

They call that a live or an index search.

Mike Saylor:

You can also do a live search while indexing is happening,

Mike Saylor:

but it slows stuff down.

Mike Saylor:

But I.

Mike Saylor:

It'll, it could take, depending on the size of the device, the, the storage.

Mike Saylor:

Uh, it could take a couple of hours to do the imaging.

Mike Saylor:

It could take another couple of hours to do the indexing and processing,

Mike Saylor:

but you could be doing other stuff while the machine's doing its thing.

Mike Saylor:

And then when you sit down to do your investigation, it's almost in real time.

Mike Saylor:

And it, some of the forensics tools now will do timelines for you.

Mike Saylor:

Uh, they'll extrapolate all the media images and, and I mean, you can,

Mike Saylor:

every, every attribute of data you can think of, you can search on and

Mike Saylor:

create, you know, complex queries on.

Mike Saylor:

W. Curtis Preston: So,

Mike Saylor:

let's, let's, let's talk about, um, some of the things that you, you know, again,

Mike Saylor:

talking about good, better, best, right?

Mike Saylor:

So if you're in the midst of a cyber attack, what.

Mike Saylor:

Are the things that you really have to make sure you don't

Mike Saylor:

lose, if at all possible?

Mike Saylor:

I'm thinking number one would be logs.

Mike Saylor:

Uh, obviously what we, what we want is a, is a forensic image of every

Mike Saylor:

machine that we think is, is, suspect that it, that it looks like it might

Mike Saylor:

have be involved in this attack.

Mike Saylor:

That's what we want.

Mike Saylor:

Is there, is there things that we should grab, like logs?

Mike Saylor:

Um, like the, the first thing that we grab to make sure that we, we get that.

Mike Saylor:

Um, is there stuff like that besides the logs?

Mike Saylor:

Certainly, and, and, and it, it may change from situation to situation,

Mike Saylor:

but preserving logs is paramount because one, as you guys probably know, a lot

Mike Saylor:

of environments don't have good log settings, so they're overwritten, uh,

Mike Saylor:

usually based off volume, not by.

Mike Saylor:

Age.

Mike Saylor:

And so in a cyber attack, you can imagine the volume of logs

Mike Saylor:

is gonna go up exponentially.

Mike Saylor:

So the likelihood that the, uh, the initial, the initialization of

Mike Saylor:

that attack, the logs related to that are preserved is, is small.

Mike Saylor:

If you don't catch it and preserve those, those, those logs timely.

Mike Saylor:

And we want every log we want firewall, router, switch, nas.

Mike Saylor:

Uh, everything you can think of from external to, you know, from the, from

Mike Saylor:

your perimeter all the way into these, uh, potentially compromised machines.

Mike Saylor:

We want all those logs, uh, even exchange, uh, or Office 365, all that stuff.

Mike Saylor:

Just you need, you need a, a log, uh, log preservation archiving,

Mike Saylor:

SOP that just says, when bad stuff happens, here's everything we need to

Mike Saylor:

preserve and where we're gonna put it.

Mike Saylor:

Which is also something to think about because if your network's compromised and

Mike Saylor:

you're gonna consolidate all these logs into a network location, well, bad guys

Mike Saylor:

could just, well, I'll just wait until they're done and delete all of that.

Mike Saylor:

Um, so there's,

Mike Saylor:

W. Curtis Preston: everything all in one place.

Mike Saylor:

Now let me blow that place up.

Mike Saylor:

Bad guys are lazy, I'm telling you.

Mike Saylor:

Um, but then also depending on, like, there's a, there was a big credit union

Mike Saylor:

hack, uh, compromised recently, and it was determined that the source of

Mike Saylor:

that attack came from a mobile phone.

Mike Saylor:

It was a, a network user that interacted with a.

Mike Saylor:

Uh, it was either a website or an email.

Mike Saylor:

Uh, is a, it was a, a no click malware that infected the phone.

Mike Saylor:

And then because the phone was on the production network, it was able to spread.

Mike Saylor:

Uh, who would've thought to go back and get an image of that phone

Prasanna Malaiyandi:

Yeah,

Mike Saylor:

or that tablet?

Mike Saylor:

Uh, so it does, it does.

Mike Saylor:

There are some nuances based on what the situation is, but

Mike Saylor:

fundamentally, you're right, Curtis, uh, preserving the logs is very

Mike Saylor:

W. Curtis Preston: Is there anything that's just beyond that?

Mike Saylor:

So you can go to your ISP 'cause they, they typically have some

Mike Saylor:

data, uh, depending on the, the service that you, uh, you subscribe to, uh, and

Mike Saylor:

your, your ISPs, uh, operating procedures, a lot of times they'll drop, they'll drop

Mike Saylor:

known bad traffic before it gets to you.

Mike Saylor:

Well then bad guys are just figuring that out.

Mike Saylor:

We're gonna try this, this, this, this, this, and this.

Mike Saylor:

Until we find the, the, the secret sauce or the recipe or, you know, whatever

Mike Saylor:

it is, that allows me to finally talk to the target, the victim network.

Mike Saylor:

Uh, and so the ISP may have some log data that predates, uh, the actual attack.

Mike Saylor:

And that could be important 'cause you'll see bad guys change IP addresses and, and

Mike Saylor:

uh, and hosts and all that good stuff.

Mike Saylor:

Uh, so that, that's, that's valuable information too, to.

Mike Saylor:

Uh, potentially block future attacks.

Mike Saylor:

Um, the other, the other areas to consider too, um, is, is who do you outsource

Mike Saylor:

or rely on from a service perspective?

Mike Saylor:

If you outsource, you know, your firewall management, uh, if you

Mike Saylor:

outsource your backups, if you outsource, if you have cloud environments

Mike Saylor:

and, uh, you have, uh, service providers that help you with those.

Mike Saylor:

Uh, if you have an it, if you have an MSP that helps, you know, does your, your

Mike Saylor:

help desk and some other, those, uh, some of those other services, that's gotta

Mike Saylor:

be part of your incident response plan.

Mike Saylor:

You know, not just preserving logs.

Mike Saylor:

And sometimes you may have to call those, those partners and service

Mike Saylor:

providers to get those logs archived.

Mike Saylor:

But again, you know, part of incident response is having all that figured out

Mike Saylor:

today, uh, before bad stuff happens.

Mike Saylor:

So you've got a, a good, a good playbook to

Mike Saylor:

run to run.

Prasanna Malaiyandi:

Is there, a recommendation?

Prasanna Malaiyandi:

So I know you've talked about how logs are super important in all of this.

Prasanna Malaiyandi:

Is there a recommendation on how long, I know you talked about sometimes people

Prasanna Malaiyandi:

do more volume-based than date-based for keeping logs, but is there sort of like.

Prasanna Malaiyandi:

A recommended practice in terms of how long they should keep their logs.

Prasanna Malaiyandi:

'cause speaking from the privacy side, which I'm very interested in, right,

Prasanna Malaiyandi:

there's sort of the downside of keeping too much data for too long, right?

Prasanna Malaiyandi:

Versus uh, not having enough data so you can do these incident

Prasanna Malaiyandi:

responses and where's that balance?

Mike Saylor:

There's a couple of parts to my answer there, and

Mike Saylor:

the first, the fundamental, uh, response is making sure your logs

Mike Saylor:

are configured, uh, appropriately.

Mike Saylor:

So our, we, we call that the value of your log data.

Mike Saylor:

So what's the value of the information your logs are collecting?

Mike Saylor:

Um, and that value could be business related.

Mike Saylor:

So when we review a log, we, we always ask, why are you logging that?

Mike Saylor:

Well, because we use it for X, Y, and Z.

Mike Saylor:

Okay?

Mike Saylor:

Uh, but if it's, if it's just a, I don't know, someone set, set it up

Mike Saylor:

that way, I'm not sure why we do that.

Mike Saylor:

Uh, so let's, let's have a conversation about in improving the value of your logs.

Mike Saylor:

So there's one thing, and that could reduce the size of logs, it

Mike Saylor:

could expand the size of logs, but nonetheless, it's more valuable.

Mike Saylor:

And that's both from a, like a, a, a detection perspective,

Mike Saylor:

uh, but also incident response.

Mike Saylor:

So, uh, logs are important for a lot of reasons.

Mike Saylor:

Uh, and then some regulatory, um, situations.

Mike Saylor:

Logs are

Mike Saylor:

required simply because of the business you're in, like

Mike Saylor:

financial, the financial sector.

Mike Saylor:

So making sure your logs are valuable is step one.

Mike Saylor:

Uh, and that could then dictate.

Mike Saylor:

How long you keep them based on the, the resulting log

Mike Saylor:

size.

Mike Saylor:

But ideally, you want, you want whatever that host is.

Mike Saylor:

Creating the logs, you want something else to collect that log from the host.

Mike Saylor:

So if the host is impacted, you're not worried about the logs on the host.

Mike Saylor:

They've already been sent

Mike Saylor:

somewhere else, like a SIS log server.

Mike Saylor:

Um, that, I mean, sis log servers are Kiwi servers, I think they used to be called.

Mike Saylor:

Uh, you can do some cool stuff with those.

Mike Saylor:

You can write rules and have 'em, you know, email you or

Mike Saylor:

paid you back in the day.

Mike Saylor:

Uh, but good, better, best, best would be let's have all the.

Mike Saylor:

the.

Mike Saylor:

The, the good log sources, the good data sources, let's ingest those into

Mike Saylor:

a true sim like security incident,

Mike Saylor:

event management platform that can run analytics 24 hours a day and do some

Mike Saylor:

better, cooler, more effective stuff, while also giving us good visibility

Mike Saylor:

across the environment, both east and west and, you know, uh, within the environment,

Mike Saylor:

north, south, in and out of the

Mike Saylor:

environment.

Mike Saylor:

W. Curtis Preston: and also by doing that, you.

Mike Saylor:

Um, you know, if you, if you did it right, I would think you would also provide a

Mike Saylor:

separation so that those logs are not as easily accessible by the bad guys, right.

Mike Saylor:

Um, right.

Mike Saylor:

having having them all in one place.

Mike Saylor:

I like the idea of having a, a Sims o tool.

Mike Saylor:

Look at it, um, and look at these logs on a regular basis to say, Hey,

Mike Saylor:

there's something going on here.

Mike Saylor:

You might want to take a look.

Mike Saylor:

Right.

Mike Saylor:

It'd be nice to be notified of, of something suspicious.

Mike Saylor:

Um, you know, versus that, and this is, I I think one of the recurring themes that

Mike Saylor:

we're we're going here is there are things that you really need to do in advance.

Mike Saylor:

So, you know, la last call we talked about assume breach, right?

Mike Saylor:

At some point you're going to be breached.

Mike Saylor:

You need to be prepared for that.

Mike Saylor:

And so one of the things that we're talking about is be prepared to do

Mike Saylor:

forensic images, be but be prepared, uh, to, to separate these logs, right?

Mike Saylor:

You know, like you talked about, like having a Syslog server,

Mike Saylor:

having a centralized log.

Mike Saylor:

Uh, management system.

Mike Saylor:

And then I do like the idea of, of that, you know, the best would be putting

Mike Saylor:

that into an actual, uh, like a sim sort tool that's gonna actually analyze that.

Mike Saylor:

Um.

Mike Saylor:

So let's go back to the, to the, to the, to the imaging.

Mike Saylor:

I, I, I completely agree with you that the tool, many of the tools, they're

Mike Saylor:

using the same techniques that we used back in the day to do what we used

Mike Saylor:

to call bare metal recovery, right.

Mike Saylor:

Um, a hundred years ago, before everything was virtualized, the idea

Mike Saylor:

of being able to restore a server from bare metal was a thing that we tried

Mike Saylor:

to do, uh, and that required an image.

Mike Saylor:

Right.

Mike Saylor:

That's when we talk about forensic imaging, all we're talking about

Mike Saylor:

essentially is, you know, an image that's typically a, a level

Mike Saylor:

below the file system, right?

Mike Saylor:

This isn't just a, a file system backup, which is generally all we take now.

Mike Saylor:

Uh, well, I'll, I'll back that up.

Mike Saylor:

In the virtualized world, we also take, um, images, we, we've, we've figured out

Mike Saylor:

how to do backups at the image level.

Mike Saylor:

While being able to do file level recovery, which is a beautiful thing.

Mike Saylor:

Right.

Mike Saylor:

Um, and so I would think that having this is yet another advantage of having

Mike Saylor:

a fully virtualized environment is forensic imaging, I think is a lot easier

Mike Saylor:

to do in the, in the virtual world.

Mike Saylor:

Um, what are the, some of the tools that you run into out there are, there are,

Mike Saylor:

are there really common ones that you see or is it just all over the board?

Mike Saylor:

So there's, there are common ones depending on what

Mike Saylor:

the, um, the source device is.

Mike Saylor:

W. Curtis Preston: Right.

Mike Saylor:

So if you're talking and, and really today there's, there's

Mike Saylor:

two, there's two forensic disciplines.

Mike Saylor:

There's traditional forensics, which really continues to follow

Mike Saylor:

and is very rigid on forensic, um, process and principles.

Mike Saylor:

Like you, you don't touch the data.

Mike Saylor:

If it's off, you leave it off.

Mike Saylor:

If it's on you leave it on,

Mike Saylor:

um, you handle it in a certain way.

Mike Saylor:

W. Curtis Preston: And, and that's pro, sorry to interrupt you, but

Mike Saylor:

that's probably more focused on like lawsuits and things like that, right?

Mike Saylor:

Is that, am I correct that particular discipline?

Mike Saylor:

It, it well that, that discipline is focused on traditional

Mike Saylor:

computers like laptop servers,

Mike Saylor:

workstations, things that have hard drives,

Mike Saylor:

W. Curtis Preston: Okay.

Mike Saylor:

and Linux, Unix,

Mike Saylor:

Mac and Windows operating systems.

Mike Saylor:

Um.

Mike Saylor:

So that, that, that traditional forensics, the, the procedures that

Mike Saylor:

you follow are possible because of that traditional hardware.

Mike Saylor:

When you, when you compare that then to a mobile device like an iPhone, you cannot

Mike Saylor:

image an iPhone when it's turned off.

Mike Saylor:

You cannot image an iPhone in some cases by itself, iPhones and some, some of

Mike Saylor:

these mobile devices, smartphones, they have to be mounted in order to be imaged.

Mike Saylor:

Well, you've already violated the traditional forensic principles

Mike Saylor:

of do not modify the data.

Mike Saylor:

Well, I've just mount You had to mount it in order to, to get access to the device.

Mike Saylor:

So a lot of, when, when mobile forensics first came out years

Mike Saylor:

ago, the, the discipline, it was, uh, it was, it was, uh.

Mike Saylor:

Argued very heavily that it shouldn't be called forensics because it doesn't

Mike Saylor:

follow the traditional forensic

Mike Saylor:

W. Curtis Preston: Oh, interesting.

Mike Saylor:

Um, however, going back to best evidence when mobile

Mike Saylor:

data made its way to court.

Mike Saylor:

And opposing counsel started to argue, well, it didn't

Mike Saylor:

follow forensics principles.

Mike Saylor:

We were able then to fall back to, well, best evidence, this is the only

Mike Saylor:

way to get data out of this phone.

Mike Saylor:

And so the what you, what you do to make up the difference is good note taking.

Mike Saylor:

I did this on this data time, so when you see that in the mobile device

Mike Saylor:

evidence, you know, that was me and I was diligent in taking those notes.

Mike Saylor:

So, to, to answer your question.

Mike Saylor:

Traditional forensics has its own tool set, and there are

Mike Saylor:

industry leaders, uh, access data.

Mike Saylor:

Uh, I can't remember the name of their company.

Mike Saylor:

It was just acquired, uh, maybe in the last year or two.

Mike Saylor:

Uh, but Access Data was the name of the company, and the product was

Mike Saylor:

called Forensics Toolkit or FTK.

Mike Saylor:

And FTK was most heavily used by law enforcement because of the, of

Mike Saylor:

the, of Access data's willingness to customize and let them do things

Mike Saylor:

that they needed to do to support, you know, law enforcement activities.

Mike Saylor:

Well, that

Prasanna Malaiyandi:

comp, oh, sorry.

Prasanna Malaiyandi:

I was just gonna chime in, Mike, that that company is now owned by Xero,

Mike Saylor:

ero Yep.

Mike Saylor:

Prasanna Malaiyandi: which does e-discovery.

Mike Saylor:

And, and that was a, a brilliant move on their part.

Mike Saylor:

Uh, the other competitor is, is guidance software and they make, um, their

Mike Saylor:

own, um, their own forensics tools.

Mike Saylor:

Uh, and interestingly enough, uh, guidance software is most heavily used by law firms

Mike Saylor:

and, uh, legal, uh, legal specializations.

Mike Saylor:

And even though.

Mike Saylor:

FTK is more heavily deployed around the world.

Mike Saylor:

Uh, guidance is the one that set the standard for how forensic imaging,

Mike Saylor:

uh, formats, uh, were, were expected.

Mike Saylor:

They call it the EO one format.

Mike Saylor:

Um.

Mike Saylor:

And, and guidance software's, tools called nk, E-N-C-A-S-E.

Mike Saylor:

And so NK or, or, and that's where the e comes from in the, in the,

Mike Saylor:

in the file extension, EO one.

Mike Saylor:

But most forensic software today, the imagers will, you, you've

Mike Saylor:

got the option to, to select what format you want your image in.

Mike Saylor:

It could be dd, it could be raw, it could be E oh one.

Mike Saylor:

Uh, and then on the flip side of that, so I could, I could make an image with FTK.

Mike Saylor:

And not have a problem importing and analyzing that image in NK,

Mike Saylor:

as an example, or vice versa.

Mike Saylor:

So that's traditional.

Mike Saylor:

Well, then you get to mobile forensics and the, the, the, the field of, of

Mike Saylor:

vendors and tools out there just blew up.

Mike Saylor:

There's, you know, black bag and oxygen and paraben and

Mike Saylor:

cellebrite, which you probably

Mike Saylor:

hear a lot.

Prasanna Malaiyandi:

Yeah.

Mike Saylor:

As far as getting into stuff, and they're, they're probably on the

Mike Saylor:

leading edge of, of, uh, mobile forensics.

Mike Saylor:

Um, they're, they're always able to do whatever the next best thing is,

Mike Saylor:

uh, and all of these things.

Mike Saylor:

Now, traditional forensics, the pricing is pretty similar.

Mike Saylor:

The licensing models are pretty similar when you get into mobile forensics.

Mike Saylor:

It can be very specific.

Mike Saylor:

Like I just want a tool that tells me that extracts all the chat messages and media.

Mike Saylor:

That's all I want.

Mike Saylor:

Very low cost, but that's all it does.

Mike Saylor:

Then you've got tools that, like Cellebrite that run the gamut

Mike Saylor:

and they have access to every phone, all the way back to the,

Mike Saylor:

the car phones of the eighties.

Mike Saylor:

Uh, and, and, and other stuff like, I need data out of a Nest thermostat

Mike Saylor:

or a wireless, uh, microwave.

Mike Saylor:

You know, there's it, the, the,

Mike Saylor:

scope.

Mike Saylor:

Capabilities, uh, vary widely as well as the the price and licensing.

Mike Saylor:

W. Curtis Preston: Yeah, I know my employer uses Cellebrite quite a bit.

Mike Saylor:

when, when when grabbing, uh, images from phones.

Mike Saylor:

Um.

Mike Saylor:

you can, you can get trained and certified in, in all

Mike Saylor:

of those tools like paraben and Cellebrite, uh, certified in that thing.

Mike Saylor:

Um, but much like other disciplines in it, you kind of become a one trick pony.

Mike Saylor:

Like that's all I can do.

Mike Saylor:

Uh, and the same with traditional forensics.

Mike Saylor:

They have certifications for that.

Mike Saylor:

Um, but to become a general forensics practitioner, man, it's, it's

Mike Saylor:

like, uh, it, it's like a lot of different, um, like trades type

Prasanna Malaiyandi:

Yes,

Prasanna Malaiyandi:

W. Curtis Preston: Yeah,

Mike Saylor:

job.

Mike Saylor:

You've just gotta, you've gotta live it for

Mike Saylor:

a period of time to

Mike Saylor:

really.

Prasanna Malaiyandi:

so basically people like me who get all their

Prasanna Malaiyandi:

knowledge from YouTube will not succeed in doing forensics.

Prasanna Malaiyandi:

W. Curtis Preston: You might succeed, but you might have trouble if

Prasanna Malaiyandi:

you're in some sort of court of law.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

Um.

Mike Saylor:

A YouTube video long enough to to give you the

Mike Saylor:

exposure you need for just one

Mike Saylor:

W. Curtis Preston: Yeah, so, so it sounds like, you know, like, like the

Mike Saylor:

other things we've been talking about, this is yet another discipline where.

Mike Saylor:

If you're in the midst of the fire, this is why going back to the previous

Mike Saylor:

episode, you need to, in advance of the fire, get a relationship with a company,

Mike Saylor:

perhaps via your cyber insurance carrier.

Mike Saylor:

Get a relationship with a company that does know this stuff cold so

Mike Saylor:

that they know how, they know what they need to take an image of.

Mike Saylor:

They know how to take that image and they, they know how to do it in such a

Mike Saylor:

way that they get the evidence that they need, uh, without changing the evidence.

Mike Saylor:

And they also know how to manipulate and look at that evidence without,

Mike Saylor:

uh, you know, making the fire worse.

Mike Saylor:

Um, does that sound

Mike Saylor:

like a good summary there?

Mike Saylor:

it

Mike Saylor:

does.

Mike Saylor:

And if I could add one more thing that would just enhance the value

Mike Saylor:

of everything you just said.

Mike Saylor:

Is every organization needs to sit through what's called a business impact

Mike Saylor:

analysis and figure out where all those key critical, you know, secret sauce,

Mike Saylor:

jewels of the company are so that when something bad happens, we know

Mike Saylor:

what the bad guys are probably after.

Mike Saylor:

Or at least we know the specifics around all that stuff so that

Mike Saylor:

we're not having to figure it out on, on, your worst day.

Mike Saylor:

Um, and then I think there are a couple of things that, that.

Mike Saylor:

Organizations can document as far as like good first steps in, in helping

Mike Saylor:

preserve evidence in an incident response.

Mike Saylor:

Preserving logs are critical.

Mike Saylor:

Um, but being trained on some forensic acquisition tools like the FTK, uh,

Mike Saylor:

imager, which is free, and having a maybe a small inventory of extra drives that

Mike Saylor:

you can, you can preserve evidence to.

Mike Saylor:

Uh, that stuff, you can write a procedure and it's no different than

Mike Saylor:

like a backup or recovery procedure.

Mike Saylor:

It's just do these things and maybe there might be some decision trees here and

Mike Saylor:

there, but I've written, I've written several, like incident response forensics

Mike Saylor:

kit procedures and, and toolkits for, for clients around the world so that

Mike Saylor:

they can preserve that evidence before I,

Mike Saylor:

before I, you know, it takes me to get there.

Prasanna Malaiyandi:

was, The last thing you want, right, Mike?

Prasanna Malaiyandi:

Based on what you said is like an IT person freaking out that this has

Prasanna Malaiyandi:

hit and being like, oh, I just need to recover my machines and going

Prasanna Malaiyandi:

and formatting the drives and then

Prasanna Malaiyandi:

just starting over.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

That's like literally the last thing that you want.

Mike Saylor:

That's right, because now you don't know how it happened.

Mike Saylor:

W. Curtis Preston: So I, I like what you're talking about, Mike.

Mike Saylor:

There's nothing wrong with, with learning some of that stuff,

Mike Saylor:

learning what you can do to support a forensic team that's coming in.

Mike Saylor:

I, I, I do wanna just emphasize, learn, right?

Mike Saylor:

Make sure you're learning it from somebody who says, okay, I.

Mike Saylor:

We're, we're gonna be your team.

Mike Saylor:

We're gonna come in.

Mike Saylor:

Here's what you can learn how to do on your own to support us.

Mike Saylor:

Right?

Mike Saylor:

And here's what not to do.

Mike Saylor:

Right.

Mike Saylor:

Please don't just go shut all the machines down, for example.

Mike Saylor:

We want to get it for, you know, we wanna see if we can get an

Mike Saylor:

image of that memory right.

Mike Saylor:

Um, because that's, that was what I would think would be the first step is literally

Mike Saylor:

just going, powering everything off.

Mike Saylor:

Right.

Mike Saylor:

It depends.

Mike Saylor:

If it's, if it's

Mike Saylor:

ransomware, call the plug.

Mike Saylor:

W. Curtis Preston: Uh, and so you have those conversations in advance.

Mike Saylor:

Figure out what it is that you should be doing, uh, to support that team and then

Mike Saylor:

get that team in as quickly as possible.

Mike Saylor:

Well, um, uh, I think, I think we beat this topic to death enough.

Mike Saylor:

Uh, thanks again for, uh, your help, Mike.

Mike Saylor:

Certainly, and there are, there are some intro courses

Mike Saylor:

to forensics, uh, that are part of, uh, continuing education programs.

Mike Saylor:

Uh, or degree programs.

Mike Saylor:

Uh, I teach, uh, intro to Forensics, uh, and investigations for UT San Antonio.

Mike Saylor:

Uh, it's a, it's a 700 page textbook.

Mike Saylor:

Uh, but there, there's some parts of this that are more related to

Mike Saylor:

law enforcement and criminal justice degrees that we don't focus so much on.

Mike Saylor:

But it's a great, uh, great insight into some of the elements of

Mike Saylor:

forensics that are important to know.

Mike Saylor:

If you do wanna.

Mike Saylor:

Run a, you know, clone a drive or, or do an image to preserve data

Mike Saylor:

and, and how that data can be used.

Mike Saylor:

W. Curtis Preston: I like it.

Mike Saylor:

Well, thanks, uh, thanks for coming on

Mike Saylor:

Certainly anytime I.

Mike Saylor:

W. Curtis Preston: and Prasanna, thanks again for, you know, consoling me

Mike Saylor:

in the midst of my power attack and also asking great questions as usual.

Prasanna Malaiyandi:

I try and, yeah, hopefully they realize maybe they

Prasanna Malaiyandi:

should think about battery backups,

Prasanna Malaiyandi:

W. Curtis Preston: Well, they had it, it just, it was, the power

Prasanna Malaiyandi:

outage was long enough that it exceeded the, uh, the backups.

Prasanna Malaiyandi:

they just need to expand it.

Mike Saylor:

They didn't consider

Mike Saylor:

how long of a battery

Mike Saylor:

they needed.

Mike Saylor:

W. Curtis Preston: Yeah.

Mike Saylor:

apparently, apparently longer than four hours.

Mike Saylor:

Uh, anyway.

Mike Saylor:

All right.

Mike Saylor:

Well, thanks to the listeners.

Mike Saylor:

Uh, we'd be nothing without you.

Mike Saylor:

That is a wrap.

Mike Saylor:

The backup wrap up is written, recorded and produced by me w Curtis Preston.

Mike Saylor:

If you need backup or Dr.

Mike Saylor:

Consulting content generation or expert witness work,

Mike Saylor:

check out backup central.com.

Mike Saylor:

You can also find links from my O'Reilly Books on the same website.

Mike Saylor:

Remember, this is an independent podcast and any opinions that you

Mike Saylor:

hear are those of the speaker.

Mike Saylor:

And not necessarily an employer.

Mike Saylor:

Thanks for listening.

Links

Chapters

Video

More from YouTube