Before you start a computer forensics investigation…

March 2016

This month, Forensik provides you with a list of essential things to consider before you launch a computer forensics investigation. If you carefully follow this advice, you will avoid making costly mistakes.

  • We advise you not to disconnect the computer from the network or even create a network filter. As tempting as it may be, doing this could trigger a “deadman’s switch” artefact, a type of malicious mechanism that detects that a computer is disconnected from a network and automatically erases the digital evidence.
  • Don’t trust any installed software as it could already be altered; instead, use evidence-collecting software from independent devices.
  • Make sure you don’t run any programs that modify the data (e.g. tar or xcopy). For example, by simply opening a file or folder, you have already modified the last access time parameter on that file or folder.
  • It’s preferable not to turn off the computer before you have collecting the evidence. If you do, part of the evidence could be lost because the perpetrator may have modified the computer’s startup and shutdown services or scripts.

Common pitfalls to avoid

  1. Unless your internal IT personnel have specific training in digital forensics, it’s best to avoid using them to conduct a computer forensics investigation. Even though they have the best of intentions, appearances are often deceiving. For example, did you know that simply printing, downloading or saving documents on a suspect computer may corrupt potential evidence?
  2. Avoid simply cloning the hard drive of the suspect computer rather than making a bit-to-bit copy.
  3. Avoid using a cleaning utility (e.g. Ccleaner) to remove malware from a suspect computer when managing an incident.
  4. Avoid abruptly shutting down a suspect computer (i.e. pulling the plug) or even turning it off normally in some cases.
  5. Avoid continuing to use the device after the anomaly or incident arises.
  6. Avoid uploading a potential malware you have found onto “VirusTotal” using a link associated with your domain name.
  7. 7. Avoid deactivating the Volume Shadow Copy (VSS) function in Windows.
  8. 8. Avoid calling in a digital forensics expert… when it’s too late.

Do you think you are the target of a cyber-attack? Before you do irreparable damage,contact our team of experts.