1. Home
  2. Training Library
  3. Testing, audit and review [CISMP]

Auditing and digital forensics

The course is part of this learning path

Start course

In this module you’ll be continuing with the information life cycle by following the process onto Test strategies and approaches through to reporting and verification and finally concluding with auditing and digital forensics.


Welcome to this session on forensics and auditing. So, in this session we're gonna talk about digital forensics, and forensic linguistics, and how this can apply to businesses. And also, I'll be demonstrating a couple of tools in relation to this as well. And then we'll discuss exactly what forensics is, and I'll give you some examples as well. So, let me go over to my machine now. So, on my machine in front of me is a digital forensics tool called OSForensics. Now this is a tool I've used many times in the past amongst other tools, and it's used for imaging and finding fragments of information on some form of electronic device. I'm loath to use the term computers, because computer, what is a computer? Now a computer could be a watch, it could be an electronic watch. It could be a physical laptop. It could be a desktop. It could be an IoT device, Internet of things device. It could be my electronic toothbrush which connects to the Internet, and that type of thing. That could be a computer. Computer definitions really have changed a lot, because, you know, what elements do you need? And that in itself can cause issues. That obviously brings into question certain other things as well, and that's legacy equipment. It's one of my big bugbears is legacy equipment, and I've discussed this with many people before. Blancco, they're a company that, that are involved in wiping data, and obviously put different procedures about how to wipe data itself.  

Now, they've actually released some, sort of, survey about data release, and we in the UK are actually one of the worst for wiping data, and securely disposing of it. We actually-, and if you look at the top 30, I think we're quite near the bottom in terms of this information. Some companies, all they do is a factory reset and wipe, and that's it. And they're going, 'Well, you know, I've wiped. The data's gone now.' But a lot of-, you know, when you're wiping the data people can still retrieve some of the data back using different techniques. Obviously, I'll demonstrate the USB stick one to you in a minute. But, you know, people can retrieve the data. A lot of people have the cradle to grave. So, they have an infantry record of their assets, which is when it came into existence, and they have an asset register of what happens to it afterwards. But a lot of the people just leave it in a comms room, plan to get rid of it at some point. Now if all it needs is someone using social engineering, you know, a bit of people hacking, getting access to the comms room, and then they could get access to the data on those hard drives. And even when you come to dispose of it, you know, if I was the Hulk and I tore a hard drive in half, I could still retrieve the data back from it by using a powerful electron microscope. Not everyone has those type of things. Only government level people have access to those.  

And I've overtly and covertly in my time involved in different government agencies been involved in imaging and analysing different devices. Mobile phones being a good example. I know my colleague and I, we wiped her mobile phone, and then we did an image of her mobile phone and retrieved 60% of the data back from it. So, a lot of the times you may have sent your phone off to be fixed, or you're selling it on, and potentially your data, if people are using the right techniques, they could retrieve that data back from it. So, that's obviously can be a concern to some people. So, in front of us on my screen here is the OSForensics tool. Now it has a lot of different tools on it. A lot of people don't realise when you-, when you copy an image to a computer, it creates two copies of itself. It has the main copy, which you're used to seeing, and it also creates a thumbnail copy. A lot of people just delete the main images and forget there's thumbnails there, and the thumbnails can be just a very small image, but there's enough information there to probably be able to see what's inside it. And I've successfully used that in lots of investigations I've been involved in. Forensic linguistics is a new tool that's been developed and created to look at analysis of social media, like tweets and these type of things 

Now this is the OSForensics tool, and I use this to image and copy this USB stick to extract and find information. Now I could use some other techniques to find information on drives. This one here's called USBDeview. So, USBDeview, these are free tools from NirSoft. And on there, it actually tells you every single USB device plugged into your computer. And green will tell you that they're live devices, and the white ones would tell you all legacy ones. All fragments of information have been left behind. This one's called a prefetch viewer. But what does that mean, Mark, prefetch viewer? A prefetch viewer is where you regularly go to different sites. So, you can see here, you know, on systems you regularly come across a different site, and you can see, you know, I've regularly gone to certain sites on my machine, and you can see a runtime - how many times I've actually been going to this site. And that could-, this could indicate to you, you know, people saying, 'I've, I've never gone to that site.' Really? With a prefetch viewer, which is normally stored inside the registry, would tell you how many times people have accessed and opened that file. And exact date and time they would open that. And you can see a whole list of times I've actually been going onto this site, date and time, exactly when I've done it.  

All putting this information together, if you put that along with Wi-Fi logs, and you can easily piece things together in relation to that, you know, people can't deny it in terms of what they can do with this one. But it's a really useful little tool this one, you know, little fragments of information.  

Now I like to use a tool called Autopsy, and this is a tool, Autopsy, and what I did was I imaged it using OSForensics, and from OSForensics I then uploaded it into Autopsy. And Autopsy is good for analysing different types of images that people do. It's a free tool to use. Fascinating website. Fully-, highly recommend that you can download a copy yourself. And then you can use it for analysing images you've got. And you can see here I've just analysed the image, quite a big image. It's about just under 500 megabytes. But I found some EXIF data. What is EXIF data, Mark? EXIF is exchangeable image file format. It is the metadata of images. And you can see quite clearly up here there's Apple devices been used -we've got the device make - so, we've also got a Nikon cameras, Motorola cameras being used. And we also know if it's-, if there's any metadata in terms of geolocation stuff. And you can see quite clearly some of these latitude, longitude locations are found, and they're accurate to 7.8 metres using GPS.  

Google's also come up with a technique called VPS, which is Virtual Positioning Service, and that's accurate to centimetres, and uses the camera on your phone to lock in exactly where you're located. And that in itself is quite interesting. So, we're getting little fragments of information. You can see it's already said-, it's got some stuff going, 'Ooh, suspected, suspected information,' there. So, it's bookmarked some of the images it's not happy with. It may be that the person that's been putting this together may have used steganography, which is hiding data inside some form of media file, Word document, pictures, images, those type of things. And interesting enough, we've also got 1,524 email addresses, and if I just show you the email addresses in there, this could indicate to you this person is about to launch a phishing campaign. Now I've come across cases like this before where I had a load of email addresses come up. I also found inside the fragments, and this-, we were investigating him for something else, but on there we also found these fragments of information. And some of it indicated, A - what his payload  was going to be, where the victims were, their-, the details of the victims themselves, and how they can find the information, and also when he was intending to do it. And also details about their cryptocurrency wallet they were going to use to try to extort information from people, and that was enough to prosecute that person. But these are-, put these together, these fragments and tools, they're very, very useful. Auditing can also be useful. So, if you're gonna give some equipment away to different organisations, you're verifying and checking the information is no longer there, maybe your mobile devices. And this can also help to protect against data breaches. And piecing together information, also very useful to pull all this together and have a detailed report in terms of the findings you have. So, just a very quick summary this was. Hopefully, you've enjoyed it.  

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.