Computer Forensic Experts:
We are Computer Forensic Experts(digital forensic).
Contact us for more info.
The process of Digital forensics include the following:-
Seizure, Acquisition, Analysis & reporting
Seizure:
- Prior to the actual examination, digital media is seized. During criminal cases, this is often performed by law enforcement personnel trained as technicians. This is done to ensure the preservation of evidence(Computer Forensic). In civil matters, untrained company officers are usually the one who handles it. Various laws cover the seizure of material. In criminal matters law related to search, warrants are applicable. In civil proceedings, it is assumed a company is investigating its own equipment without a warrant. In doing so the company is responsible for observing the privacy and human rights of employees.
Acquisition:
- Once exhibits have been seized an exact sector level duplicate (or “forensic duplicate”) of the media is created. It is done usually via a Forensic Falcon or write blocking device. This process is referred to as Imaging or Acquisition. The original drive is then returned to secure storage to prevent tampering.
Analysis:
- The acquired image is verified by using the SHA or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as “hashing”. This ensures that the evidence is still in its original state.
- After the acquisition, the contents of image files are analyzed to identify evidence. The evidence either supports or contradicts a hypothesis or for signs of tampering (to hide data).
- During the analysis, the investigator recovers evidence material. This is done using a number of different methodologies (and tools) usually beginning with the recovery of deleted material. Examiners use specialist tools (FTK, Intella) to aid with viewing and recovering data. The type of data recovered varies depending on the investigation. Examples include email, chat logs, images, internet history, or documents. Data can then be recovered from accessible disk space, deleted (unallocated) space. Sometimes the data can also be recovered from operating system cache files.
- Various types of techniques are used to recover evidence. It usually involves some form of keyword searching within the acquired image file. That is either to identify matches to relevant phrases or to parse out known file types. Certain files (such as graphic images) have a specific set of bytes that identify the start and end of a file. in case it identifies if a deleted file can be reconstructed. Many forensic tools use hash signatures to identify notable files or to exclude known (benign) ones. Acquired data is hashed and compared to pre-compiled lists.
- On most media types including standard magnetic hard disks, once data gets deleted can’t be recovered. SSD Drives are specifically of interest from a forensics point of view. In the case of SSD even after a secure-erase operation some of the data that was intended to be secure-erased persists on the drive.
- Once evidence is recovered the information is analyzed to reconstruct events or actions and to reach conclusions. This work can often be performed by less specialist staff. Digital investigators, particularly in criminal investigations, ensure that conclusions are based upon data and their own expert knowledge.
Reporting:
- When an investigation is completed, then the information is reported in a form suitable for non-technical individuals(Computer Forensic). Reports may also include audit information and other meta-documentation.
- When completed reports are usually passed to those commissioning the investigation, such as law enforcement (for criminal cases) or the employing company (in civil cases). They then decide whether to use the evidence in court or not. Generally, for a criminal court, the report package will consist of a written expert conclusion of the evidence as well as the evidence itself (often presented on digital media).
