Computer and Mobile Forensics
Computer forensics is all about discovering and evaluating digital evidence. These can be stored on any device anywhere within a business or other environment. It is really looking at what events recently transpired on a system which as digital fingerprints, can pinpoint the specifics of a system related incident or the exact actions taken by a computer user. So this can include evidence from computer attacks, damage to information systems, overrides to networks and much more. The evidence can be anything from documents that were accessed, deleted or transferred to remote locations, or understanding a computer user’s internet surfing activities, computer forensics can be very revealing. A breached device or a destroyed network contain vital information and can help a skilled forensic investigator to break down what and how it happened, to solve the crime—and to prevent it from happening again.
Because of the insight provided by computer forensics, civil litigation often requires the use of a qualified and experienced computer forensics expert witness to assist with understanding the facts related to a computer’s use and activities by the purported computer user. The aim of the computer forensics team is to primarily identify, collect and analyse digital evidence. Depending on business needs evidence can be further analysed and prepared for various purposes including as computer based evidence to be presented in a court of law.
Computer users often will attempt to hide or conceal illicit use of their computer and technologies including encryption and privacy software is often used as an effort to obscure inappropriate activities.
Depending on the nature of the investigation sometimes security vulnerabilities, configuration weaknesses, or human nature might have to be exploited in order to collect the required evidence. The main targets of the computer forensics team can be a single standalone system or multiple systems or applications of different types spread across continents.
Our consultants have a vast experience in the area of computer and mobile forensics. ProCheckUp employ scientific methods to recover digital evidence, and follows the established ACPO Good Practice Guide in handling digital evidence to ensure that digital evidence is legally admissible in courts.
Forensic Investigation steps/assurances
As per NIST SP800-86 guidelines, there are four steps that ProCheckUp follow:
- - Collection: Identifying, labelling, recording, and acquiring data from the possible sources of relevant data, whilst following procedures that preserve the integrity of the data.
- - Examination: Forensically processing collected data using a combination of automated and manual methods. Assessing and extracting data of interest, while preserving the integrity of the data
- - Analysis: Reviewing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.
- - Reporting: Reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.
Forensic Investigation action plan
Upon discussion and identification of the necessary information to start the investigation (e.g. activity logs, data devices or even further information) a plan will be drafted and will follow these steps:
One ProCheckUp have access to the device(s), an identical copy of the evidence supplied by the client will be made. Once copied, the original media will be sealed and stored in a safe location.
Data integrity is arguably the biggest risk, as without it, the entire investigation could be voided due to bad results or damaged data. Every precaution will be taken to ensure that the data on the original disk is not changed or modified/deleted in any way.
An audit trail will be kept providing accurate timeline of the personnel handling the evidence and every step taken by the investigator(s).
Data recovery is often useful in aiding a forensic analysis and investigation but can also be required in many other circumstances. Several failures could result in the loss of data on a physical disk. Whether the data loss is intentional or unintentional; ProCheckUp have the technology to salvage the lost data in certain circumstances.
ProCheckUp can help recover lost data due to the following reasons:
- - Human error / accidental file deletion
- - Logical bad sectors on a hard disk
- - Overwritten data
- - Formatted drive
- - Corrupt partitions / filesystem
- - Operating system error
- - Unbootable drives
Note: Only logical data recovery is covered by this service. ProCheckUp cannot guarantee that data loss due to physical damage can be recovered.
Data Discovery is the systemic identification and analysis of sensitive data on a network. Such data can encompass trade secrets and intellectual property, financial and payment card data (e.g.: credit card PAN, CVV and track data), personally identifiable information, payrolls, health and databases.
Due to the complexities of today’s business processes; sensitive data can unintentionally find its way to insecure locations within the network such as in an employee’s mobile computer, open file shares or the cloud. ProCheckUp can help organisations ‘discover’ such data to ensure that the controls in place are effective in ensuring the confidentiality, integrity and availability of the data.
Locating and protecting specific types of confidential information is a key requirement within several industry standards and regulations such as PCI DSS and HIPAA.
Data Documentation and further preparation
At the end of the engagement, the client is provided with a final deliverable consisting of a full technical report detailing the evidence found and their significance, timeline of compromise or related events, recommendations for remediation, and a management-level summary. Further deliverables can be arranged for clients including presentations and training