A look at the world of computer forensics

March 2019

When a client’s IT systems are impacted by a security incident, cyber investigators (or digital forensics investigators) track down the hackers responsible. This profession is still fairly new, but sure to grow as more and more of our day-to-day activities take place in cyberspace.

As it stands, many small and medium businesses that fall victim to a cyberattack aren’t sure where to turn. Digital forensics investigators do important work, but few people are aware of it.

Do you know what to do if your data is held hostage by a nefarious cybercriminal, or even if you suspect an internal breach?

The fascinating field of digital forensics has its own set of standard procedures. The key is to rely on experts and take certain precautions. Let us walk you through the basic elements of an investigation to help you protect your company in the event of a dispute.

Authorizing an investigation

Of course, an investigation can’t begin without official authorization, which will be incorporated in the contract signed between the victim company and digital forensics specialist or firm.

If the incident has legal implications, court approval is required before data can be collected. The scope of the investigation will generally also be determined by the court, based on a few different factors.

If the case concerns an organization’s human resources, for example, either upper management or the internal legal team will give the green light.

Digital evidence

Authorization has been granted, the investigation is underway. So what’s the next step? What are we looking for? Earlier we talked about “tracking down” hackers. This image is more accurate than you might think! Even the smallest move in the digital world leaves a trace.

In the case of an intrusion, theft or leak of sensitive information, the investigator looks for clues in a few different places. The computer’s hard drive, of course, will contain information that can be used as evidence. RAM and browsing history also come to mind.

There are endless directions to explore in such a hyperconnected world. The call history for a landline or mobile phone, a printer’s job record, network equipment settings or computer system logs might be useful.

Online services like Facebook, Snapchat, Instagram, Twitter and LinkedIn save data and metadata concerning communications, locations and movements, which can then be linked to the activities of individuals in the real world.

Preserving evidence

You might be amazed by the sheer amount of evidence stored on the electronic devices you use, but this volatile data can be erased.

RAM and server audit logs, for instance, are regularly refreshed. As soon as you suspect that an investigation may be required, there are three main reasons to take protective measures:

  • Preventing data from being altered or erased
  • Guaranteeing the replicability of analyses and processes
  • Ensuring the receivability of evidence in court

In most cases, it’s enough to save a copy of the data stored on an affected device. There are a variety of specialized tools that perform this operation without altering data at rest.

Duplicating the evidence enables investigators to work at their own pace in a lab environment, without impacting the IT ecosystem.

In some cases, however, the computers in question may need to be powered off until the problem is resolved.

It should be clear by now that relying on proven methods is essential for a cyberinvestigation. That’s why all of Forensik’s experts are fully certified and use only trusted tools.

In the wake of a security incident, the slightest manipulation can jeopardize your entire investigation. Don’t take any risks! Make sure you haven’t missed anything by getting in touch with a specialist.

In the meantime, follow our advice to perform an information security health check for your company. You’ll never have to worry about an investigation process!


Follow us on LinkedIn

Our Facebook page