Computer forensics. Why it’s important and how we do it:
Computer forensics is the process of collecting legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information. Computer forensics is applicable in civil proceedings, large and small corporations, a wide variety of computer crime, and corporate mergers. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail. Sometimes the process requires data recovery first because of sabotage/destruction to the media to cover it up, and then the forensics process can begin, we specialize in both areas.
The objective of computer forensic analysis is to determine the facts, as recorded on computer systems and electronic media, in an efficient and non-biased manner.
Computer forensic analysis process:
- Alandata ensures that electronic evidence is admissible in a court of law.
- Create forensic images and preserve electronic evidence using hardware write-blocker.
- Make multiple copies for plaintiff, defendant, and evidence.
- Search for relevant information and determining history, authentication and origin of electronic documents.
- Perform a preliminary investigation to determine if allegations are correct or if company policy has been violated.
- Using electronic data to reconstruct events or substantiate allegations and claims.
- Use proper tools and expertise/certification to maximize evidence gain and prevent loss.
- Linking evidence together to prove the case.
- Preparing evidence for litigation support, including deposition and expert witness testimony.
- Ensuring the confidentiality of the process and impartiality of the investigator.
Types fo Computer Forensic Analysis:
Disk Forensics: The process of acquiring and analyzing the data stored on physical storage media (computer hard drive, cell phones, PDAs, removable media, etc.). Disk forensics includes both the recovery of hidden and deleted data and also file identification, the process of identifying who created a file or message.
Network Forensics: The process of examining network traffic, including transaction logs and real-time monitoring, using sniffers and tracing.
Internet Forensics: The process of piecing together where and when a user has been on the internet or internal company network. This is used to determine whether inappropriate Internet content access and downloading was accidental or not. It is also used to determine if sensitive information was emailed inappropriately using a personal email account.
Email Forensics: The study of source and content of electronic mail as evidence. It includes the process of identifying the actual sender, recipient, date, time and location and email originated from. Email has become a significant issue for individuals and organizations. Harassment, discrimination or unauthorized activity violating company policy can be identified via email forensics.
Why you want a certified forensic examiner:
In the electronic-discovery process, the methods used to obtain relevant data are as important as the data itself. The entire process from start to finish should be handled and prepared to be admissible and hold up in the courtroom.
Issues with doing your own investigation, having internal IT resources, or a non certified computer specialist conducting the investigation include:
Defendant can use anything against you, as the evidence gathered can be scrutinized as not being done the proper way. Evidence may have been tampered, could have been bias in investigation process to add/remove evidence to persuade one side or another, evidence was tampered with and now non of it is admissible as it’s no longer in the original state. The chances of evidence contamination increase when proper forensic techniques are not applied.