What exactly is computer forensics? Computer Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data and authentication of data by technical analysis or explanation of technical features of data and computer usage. What is a forensic computer examination? A forensic computer examiner uses specialized hardware, software, and training to retrieve and analyze data in such a way as to preserve the integrity of that data. How is a computer forensic investigation approached? The main phases are considered to be: • Secure the subject system (from tampering during the operation) • Make a copy of hard drive (if applicable) • Identify and recovery of files (including those deleted) • Access/copy hidden, protected and temporary files • Study 'special' areas on the drive (e.g.: residue from previously deleted files) • Investigate data/settings from installed applications/programs • Assess the system as a whole, including its structure • Consider general factors relating to the users activity • Create detailed report. Throughout the investigation, it is important to stress that a full audit log of our activities are maintained. Is there anything that should NOT be done before or during an investigation? It is important to avoid changing date/time stamps (of files for example) or changing data itself. The same applies to the overwriting of unallocated space (which can happen on re-boot for example). Why can't our company personnel (IT Dept) be used to retrieve or analyze data? Although company personnel may have a degree of knowledge, even in recovering lost data, they do not have the requisite training and knowledge of forensic procedures to ensure that all the data is recovered and analyzed, as well as protect the data for court admissibility. Many times company computer personnel destroy potential evidence. There have been many instances where we have received a computer for examination after someone else has attempted to examine the computer in a non-forensic environment and found that evidence, such as last access date and time stamps for files, have now been changed forever, which may be critical in showing who did what when. We do not plan to utilize the information in court, and plan on handling the situation within the company. Why would we need a forensic examiner? Although your initial plans are to handle the situation within the company, you do not know the full extent of the problem until it has been analyzed. Company computer personnel may not have the ability to give you a full picture of the problem. Any employee discipline or termination has the potential for civil litigation. At this point it is much harder to go back and do an impartial examination as the electronic evidence has been accessed and even changed by company computer personnel opening the door for accusations that company employees planted the evidence. Company personnel do not have the ability to testify in court as expert witnesses who are allowed to not only testify regarding the information found but offer opinions as to how the information came to reside on the computer. If your concerns are strong enough to merit an assessment of computer usage, it is essential to do it right. We already use an outside firm for investigations or accounting who can conduct data retrieval and analysis. Why shouldn't we continue to use them? Although there are many good qualified firms conducting forensic computer examinations and data retrieval, there are many that do not follow approved forensic procedures or employ certified forensic computer examiners. When data retrieval or analysis is conducted in a forensic environment the original media, such as a computer hard drive, is forensically accessed or copied. It is on the forensically accessed or copied media that the retrieval or analysis is conducted. This ensures that the original media is never changed. This allows for third party review and to verify the findings of the examiner. If the company's actions are reviewed by a third party, such as a court, it will be the examination and the examiner that will be scrutinized the most. DARC utilizes Certified Forensic Computer Examiners certified by the International Association of Computer Investigative Specialists. Our examiners have both the investigative background as well as the skills and experience necessary to conduct a professional analysis and properly present the findings in court or in any other third party review.
Home  |  About Us  |  Services  |  Frequently Asked Questions  |  Links  |  Contact Us					Copyright © Darcforensics, 2006