Computer Forensics, is
the preservation,
identification, extraction, interpretation, and
documentation of computer evidence, to include the USDOJ
rules of evidence, legal processes, integrity of evidence,
factual reporting of the information found, and ability to
provide expert opinion in a court of law or other legal
proceeding as to what was found.
Confirming or/and Preventing
theft of information and intellectual property through
internal examination and monitoring usage with “Computer
Forensics” Investigations, in most cases are conducted in a
reactionary situation however to-day more pro-active
computer forensic examinations are used for monitoring and in some cases A
debriefing process for all “Exiting” Employees.
Computer forensics has different
facets, and is not just one "thing" or procedure. At a
basic level, computer forensics is the analysis of
information contained within and created with computer
systems, typically in the interest of figuring out what
happened, when it happened, how it happened, and who was
involved. This being said, computer forensic techniques and
methodologies are used for conducting computing
investigations - again, in the interest of figuring out what
happened, when it happened, how it happened, and who was
involved.
In many
cases, information is gathered during a computer forensics
investigation that is not typically available or viewable by
the average computer user, such as deleted files and
fragments of data that can be found in the space allocated
for existing files - known by computer forensic
practitioners as slack space. Special skills and tools are
needed to obtain this type of information or evidence.
Active,
Archival, and Latent Data
In computer forensics, there are
three types of data that we are concerned with - active,
archival, and latent.
Active Data,
is the information that you and I can see. Data files,
programs, and files used by the operating system. This is
the easiest type of data to obtain.
Archival Data,
is data that has been backed up and stored. This could
consist of backup tapes, CD's, floppies, or entire hard
drives to cite a few examples.
Latent Data,
is the information that one typically needs specialized
tools to get at. An example would be information that has
been deleted or partially overwritten.
A computer investigation could
entail looking at all of these data types depending on the
circumstances. Obtaining latent data is by far the most time
consuming and costly.
Computer Forensics is all about
obtaining the proof of a Crime or Breech of Policy. Computer
forensics is about obtaining the proof of an illegal misuse
of computers in a way that could lead to the prosecution of
the culprit.
The primary
phases in a computer forensics examination are:
-
Discussion of
suspicion and concerns
-
Harvesting of all
electronic data
-
Identification of
violations or concern
-
Protection of the
proof
-
Qualified, verifiable
evidence
-
Written Report and
comments of the examiner
If you think you may have a
problem it is best to act quickly, computer evidence is
volatile and could be destroyed in a blink. It is also
better to know for sure than to ignore possible
consequences. If you are unfortunate to uncover a potential
problem, it may be prudent to seek confidential advice from
a “Certified Forensic Examiner” before rushing in. The
"do it yourself"
route is a risky strategy which may have far reaching
effects. If you are committed to using in house staff,
remember the basics of evidential integrity and don't be
tempted to use short cuts.
When carried out correctly,
forensic analysis of computer systems involved in abuse can
provide valuable evidence which might otherwise have been
lost or overlooked. Performed wrongly but with good intent
and your evidence could give the guilty the opportunity they
need to get a case dismissed.
Examination Process:
The steps involved for a
computing investigation are summarized in the following
paragraphs. While this really doesn't do the process
justice, it does serve as a quick overview.
1. Computer Forensic
Investigations should always be conducted by a “Certified
Computer Forensic Examiner”, using licensed equipment to
insure VALIDITY in court and to prevent tainting of the
evidence.
2. Establish
a chain of custody. Be aware at all times where any items
related to the investigation are located. Use a safe or
cabinet to secure items .
3. Maintain the integrity of the
original media. The original source of information should
not be altered. a exact copy of a hard drive image would
be made and that image is authenticated against the original
to make sure that it is indeed exact.
4. Catalog all information. This
includes active, archival, and latent data. Information that
has been deleted will be recovered to whatever extent
possible. Encrypted information and information that is
password protected is identified, as well as anything that
indicates attempts to hide or obfuscate data.
5. Additional sources of
information is obtained, as the circumstances dictate.
Firewall logs, Proxy server logs, Kerberos server logs,
sign-in sheets, etc.
6. The information will be
analyzed and interpreted to determine possible evidence.
Both exculpatory (they didn’t do it) and inculpatory (they
did it) evidence is sought out. If appropriate, encrypted
files and password protected files are "cracked."
7. Submit a written report to the
client with your findings and comments.
8. If needed, provide testimony
at a deposition, trial, or other legal proceeding.
The information contained in this
document covers the basics, and really doesn't do full
justice to all facets of computer forensics. I hope however
that you have a better understanding of what computer
forensics entails. Feel free to contact me If I can be of
assistance, or visit our web-site
www.evestigate.com
GDF conducts computer forensics
investigations Nationally and Internationally offering Quick
Response with competitive rates, also special package rates
for volume and exit interviews. Request a quote ASAP!!
Electronic Discovery