Computer forensic deals with retrieval interpretation and preservation of evidence from computer(workstations, servers laptops etc.) storage drives then reporting findings The aim is of looking for everything from data exfiltration retrieving data that is deleted, timelines etc. We focus on forensic techniques to preserve digital evidence.
How Can Computer Forensics Be Used In Your Business?
A business might want to see if an employee has been browsing inappropriate sites or had unauthorized files on their computer. Such instances might include violations of a company policy, or they might be fraudulent actions that could cost the company millions of dollars in damages. Business-use cases can vary, but forensics techniques generally remain the same. The following are possible ways computer forensics can be used to help businesses solve a dispute or an investigation:
- Identify unauthorized access by employees to Internet sites, intranet sites or files;
- Identifying employee fraud, which including detection of documents related to fraud and keyword searches;
- Identifying theft by employees, including copying and transferring company files onto external devices, linked-file analysis and registry analysis;
- Finding out general employee usage patterns and behavior;
- Spotting employee deleted files, including the recovery of deleted files and file carving.
Preservation of Computer Forensic evidence
Preservation is ensuring that evidence collected in not tampered with. It can be achieved through acquisition and ensuring authenticity in a forensic sound manner. The following processes Imaging, hashing and chain of custody are key to this
Collection of evidence through Imaging
Imaging a drive is a forensic process in which an analyst creates a bit-for-bit duplicate of a drive.
The first step in any digital forensics examination is to protect the original evidence in accordance with industry standards and digital forensics best practices. This is done by creating a forensic image of the original evidence item. A forensic image is a special type of copy of the original evidence, it contains all of the data found in the original, but that data is encapsulated in a forensic file format which makes it tamper-proof.
Imaging is important as it
- Preserves the original evidence as it
- Prevents inadvertent alteration of original evidence during examination
- Allows recreation of the duplicate image if necessary
When an investigator images a machine for analysis, the process generates cryptographic hash values (MD5, SHA-1).
A hash is a mathematical algorithm that produces a unique value most used algorithms are MD5, SHA-1 or SHA-256
The value is used to demonstrate the integrity of the data, because altering even the smallest bit of data will generate a completely new hash value. . If the hash values do not match the expected values, it may raise the concerns it that the evidence has been tampered with.
There are specialized software for performing this function
The purpose of a hash value is to verify the authenticity and integrity of the image as an exact duplicate of the original media thus demonstrate that the image is a true unaltered copy of the original
Chain of custody
A chain of custody is a chronological paper trail documenting when, how, and by whom individual items of electronic evidence was collected, handled, analyzed during an investigation
Chain of Custody Form
To implement chain of Custody a Chain of Custody Form is used to records all the activities pertaining a particular electronic evidences change in the seizure, custody, control, transfer, analysis, and disposition of electronic evidence. It is alive document as it is updated s the evidence proceeds through the investigation and trail.
What is captured in a Chain of Custody form
- Details of the evidence item
- Location and conditions under which the evidence was collected
- The identity and signature of each person who handled the evidence and their authority to do so.
- How long the evidence was in the possession of each person who handled it.
- How the evidence was transferred each time it changed hands.
Who handles a chain of custody?
The Chain of Custody Form may be handled only by identifiable persons with authority to possess the evidence, such as police officers and detectives, forensic analysts, certain officers of the court, and evidence technicians.
Forensic Tools used in Imaging
Here are some of the free tools for forensic imaging creation
FTK imager by Access Data and runs on windows and Linux
Magnetic Acquire by Magnet Forensics team
FEX imager it runs on windows
Tools for Hashing
Most of these hash tools can run on windows, Linux or mac and are free to uses softwares
How Organizations Can Aid Computer Forensics
Formulate a forensic plan in place which will guide on how a forensic investigation will be conducted and evidence be preserved
Train they technical team computer forensic training, identifying computer forensic companies with the skills already that can assist, or a combination of both.
Why train your IT Team
When a cyber-security incident occurs the IT staff will often be expected to make an initial assessment to try and identify the exact nature and seriousness of the incident. They will often not have received any kind of computer forensic training. As a result they are not necessarily aware of the issues surrounding the collection of digital data that may have to be relied upon at a later date in court. Vital information such as time and date stamps can be lost making the investigation more difficult. In the worst case scenario vital evidence may be thrown out of court due to the improper handling of the data during the course of the investigation. Thus the need to train on collection and handling of digital evidence as it may be relied upon and will lead to saving on cost.