Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,060 --> 00:00:08,790 VIDEO I want to go over a basic investigation cycle now, some people had kind of problems understanding 2 00:00:08,790 --> 00:00:14,730 what steps they should take and the previous course, so I just want to kind of outline a very generic 3 00:00:15,000 --> 00:00:17,940 investigation cycle that I personally take. 4 00:00:18,300 --> 00:00:23,670 And this is a template that you could either use yourself or modify to your own use. 5 00:00:24,360 --> 00:00:29,040 So in general, the first thing we do is I'm going to do a client check. 6 00:00:29,250 --> 00:00:32,760 And what I mean by that is I'm going to identify what the client needs. 7 00:00:33,990 --> 00:00:35,880 What are they looking for in this investigation? 8 00:00:35,910 --> 00:00:38,190 Why am I doing this in the first place? 9 00:00:38,460 --> 00:00:39,990 What are their expectations? 10 00:00:41,490 --> 00:00:44,910 I'm going to find out who I'm allowed to contact watered. 11 00:00:45,180 --> 00:00:47,100 What stipulations do they have in place? 12 00:00:47,580 --> 00:00:50,910 Maybe I need to detail every step I take. 13 00:00:51,810 --> 00:00:59,160 To that end, they may want either a browser that's going to track every step something like Huntley. 14 00:00:59,160 --> 00:01:02,580 Or maybe they want me to video record everything I'm doing. 15 00:01:02,670 --> 00:01:06,810 Maybe they want to save the VA after I finish my investigation. 16 00:01:08,280 --> 00:01:12,240 So this is all important stuff they should find out before you even start your investigation. 17 00:01:13,650 --> 00:01:16,830 I'm also going to set my client's expectations before I begin. 18 00:01:18,330 --> 00:01:25,650 I have some clients that have said, OK, I want all this detailed information and so on, and I want 19 00:01:25,650 --> 00:01:26,880 it in 15 minutes. 20 00:01:27,390 --> 00:01:30,780 Well, I try to set their expectation that, well, OK. 21 00:01:30,780 --> 00:01:34,380 First of all, there's no guarantees during its investigation. 22 00:01:34,920 --> 00:01:35,820 I might get lucky. 23 00:01:35,820 --> 00:01:36,330 I have. 24 00:01:36,330 --> 00:01:42,930 I have turned up on a quite a bit information in some cases within the first few minutes. 25 00:01:43,710 --> 00:01:47,190 Be honest, I got really lucky with some of those investigations. 26 00:01:47,490 --> 00:01:55,010 Other times, I've spent days or weeks and came up with less information I would really like to find. 27 00:01:55,020 --> 00:02:02,670 So again, I try to explain to them, depending how much what they're looking for, how much information 28 00:02:02,670 --> 00:02:04,020 they're looking for and whatnot. 29 00:02:06,080 --> 00:02:13,800 There, I may or may not be able to retrieve what they're looking for, so they should, you know, 30 00:02:13,800 --> 00:02:15,780 they should temper their expectations for this. 31 00:02:16,050 --> 00:02:22,890 And also, approximately depending how much of a deep dive they want to take, it's going to depend 32 00:02:22,890 --> 00:02:25,320 on how much time this is going to take. 33 00:02:25,350 --> 00:02:28,110 So again, temper the client's expectation. 34 00:02:29,130 --> 00:02:33,840 So next up, I'm going to do is I'm going to do what they call a personal check. 35 00:02:34,110 --> 00:02:37,950 I'm going to do my own checklist for what I need to do before it can begin. 36 00:02:38,970 --> 00:02:40,920 I want to make sure I have a new VM. 37 00:02:41,160 --> 00:02:47,310 I want to make sure I create a snapshot that I feel I'm going to verify if the client needs that VM 38 00:02:47,310 --> 00:02:48,020 afterwards. 39 00:02:48,030 --> 00:02:48,810 If they do. 40 00:02:48,840 --> 00:02:53,370 Maybe I'll just create the VM Street to a flash drive that I'm going to hand them afterwards. 41 00:02:54,360 --> 00:02:56,790 I want to make sure I have my burner accounts created. 42 00:02:57,900 --> 00:02:59,580 I like to make sure that's done beforehand. 43 00:02:59,580 --> 00:03:06,180 So we do have to waste time during the investigation to create burner accounts, things like fake Facebook 44 00:03:06,180 --> 00:03:07,920 account, Tinder account and whatnot. 45 00:03:07,930 --> 00:03:13,680 Make sure those my existing burner accounts are still valid that they weren't turned off by those companies. 46 00:03:14,880 --> 00:03:17,310 I'm going to make sure I have a VPN that's still working. 47 00:03:19,580 --> 00:03:27,140 Next, I'm going to do initial check, so depending what information I have, I'm going to run her name 48 00:03:27,140 --> 00:03:29,900 through people, spoke you and whatnot. 49 00:03:30,860 --> 00:03:36,530 I'm going to run their email if I have their email through things like the hashed and have I been phoned 50 00:03:36,530 --> 00:03:38,360 to find out what other accounts they have? 51 00:03:39,290 --> 00:03:41,600 Try to find out if I can find her password. 52 00:03:42,980 --> 00:03:44,110 I'm going to take that password. 53 00:03:44,120 --> 00:03:48,980 I'm going to feed it back in the trash and I see real set password and email accounts show up. 54 00:03:49,280 --> 00:03:55,790 I'm going to take whatever address I find phone numbers and one I throw in a dash and see if what other 55 00:03:55,790 --> 00:03:56,930 sites are used it. 56 00:03:58,280 --> 00:04:04,850 I'm going to use Google operators on their name, their address, certain keywords. 57 00:04:04,850 --> 00:04:06,860 I have any aliases and whatnot. 58 00:04:07,910 --> 00:04:12,710 I want to use programs like Recon Dog and Maltego to help me with my initial check. 59 00:04:14,180 --> 00:04:19,980 Next, I'm going to collect information from their social media accounts, Twitter, Facebook, LinkedIn 60 00:04:19,980 --> 00:04:20,690 and whatnot. 61 00:04:21,290 --> 00:04:26,550 I'm going to start collecting as much information as I can when I grab all the images they may post 62 00:04:26,550 --> 00:04:26,720 said. 63 00:04:26,720 --> 00:04:31,790 They made friends, followers, likes everything. 64 00:04:32,720 --> 00:04:34,460 I'm going to rerun all this again. 65 00:04:35,240 --> 00:04:43,970 So once I have some of that information, I'm going to take a look at their friends, make their friends 66 00:04:43,970 --> 00:04:49,310 posts of about them that they don't know about or that they shouldn't be sharing. 67 00:04:50,030 --> 00:04:54,500 I'm going to take all this other additional information I got from their social media accounts to feed 68 00:04:54,500 --> 00:05:00,500 it through hash and the people again and see what results like it if they have a website. 69 00:05:00,530 --> 00:05:02,650 I'm going to do a domain search. 70 00:05:02,660 --> 00:05:04,240 I'm going to use things like Digg. 71 00:05:04,970 --> 00:05:06,590 Erin, I'm going to use. 72 00:05:07,220 --> 00:05:13,250 I'm going to do a trick to copy the websites where I could take it apart at my own leisure without potentially 73 00:05:13,250 --> 00:05:14,750 triggering anything on their site. 74 00:05:15,800 --> 00:05:20,960 I'm going to try to collect as many email addresses and forum posts and images I can from that site. 75 00:05:21,350 --> 00:05:27,290 And if I click any names or or email addresses, I'm going to again feed in Dash, one of my favorite 76 00:05:27,290 --> 00:05:29,810 sites, and see where else those email addresses come up. 77 00:05:31,010 --> 00:05:36,200 If there were part of a data breach, I'm going to verify old information. 78 00:05:36,200 --> 00:05:40,280 So I mean, so chances are you're going to have a huge amount of information. 79 00:05:40,280 --> 00:05:45,440 So I'm going to begin to go through there and see what really relates to this investigation. 80 00:05:45,530 --> 00:05:48,950 I don't want to hand the client a bunch of junk that they don't need. 81 00:05:49,520 --> 00:05:54,470 So or you and also I don't want to give them information that is not valid. 82 00:05:54,860 --> 00:06:01,220 So I want to make very sure that to my best of my ability, that the information presented them is correct 83 00:06:01,370 --> 00:06:04,520 and it is relevant to what the investigation is. 84 00:06:05,420 --> 00:06:06,890 And then I'm going to create a report. 85 00:06:07,640 --> 00:06:08,990 I'm going to create two reports. 86 00:06:09,590 --> 00:06:13,370 I'm going to create this active report, which is going to be a short, non-technical report. 87 00:06:13,790 --> 00:06:18,740 This is just get straight to the point should be about one page or less than a page. 88 00:06:19,160 --> 00:06:22,700 It's going to say, Hey, you know, I sort of this is my name. 89 00:06:23,090 --> 00:06:23,940 This is the goal. 90 00:06:24,050 --> 00:06:25,550 This is why I was able to achieve. 91 00:06:25,580 --> 00:06:27,320 This is why I was not able to achieve. 92 00:06:28,700 --> 00:06:32,720 I'm going to create and then I'm going to create a detailed report. 93 00:06:33,080 --> 00:06:36,050 Detailed report is going to go into a lot more information. 94 00:06:36,050 --> 00:06:38,420 Things like, here's a much media. 95 00:06:38,840 --> 00:06:40,700 Here's here's the steps I. 96 00:06:41,090 --> 00:06:45,740 I took these again our goals and was able to achieve. 97 00:06:46,310 --> 00:06:49,100 These are the goals I was not able to achieve and why. 98 00:06:50,630 --> 00:06:53,690 So again, two reports the quick one. 99 00:06:53,690 --> 00:06:57,770 For people that aren't very technical or really don't care, they just don't know. 100 00:06:58,250 --> 00:06:59,750 Were you able to do this or not? 101 00:07:00,020 --> 00:07:00,720 And why? 102 00:07:02,030 --> 00:07:03,410 In in the detailed report. 103 00:07:03,410 --> 00:07:09,830 For people that are going to be more savvy or need more information, see like lawyers, for example. 104 00:07:10,580 --> 00:07:15,050 So again, this is a what I called him ocean investigation cycle. 105 00:07:15,590 --> 00:07:22,040 And again, you could you feel free to use the template they came up with here? 106 00:07:22,040 --> 00:07:24,710 Or you could always create your own? 107 00:07:26,000 --> 00:07:35,660 But again, this should give you kind of a overview of how a generic investigation would go if you're 108 00:07:35,660 --> 00:07:38,630 not sure how to started or kind of the process for it. 109 00:07:39,140 --> 00:07:39,970 Thank you for watching. 10908