Forensics

• Overview
• Why NetCerto?
• Resources

Computer Forensics

What is computer forensics?

Digital forensics is the process of using the scientific method to examine digital media in order to establish facts for legal purposes, especially judicial review. It involves the systematic inspection of IT systems, especially data-storage devices, for evidence of a civil wrongdoing or criminal act. Because of its focus on facts and scientific method, computer forensics processes must adhere to courtroom standards of admissible evidence, which severely complicates some of the otherwise simple data analysis tasks such as looking at logs to determine who connected to the system. (Source: Dr Anton Chuvakin, security expert and author of Security Warrior)

Its more than collecting data to be used as evidence. Computer forensics requires specialized training and tools beyond what's normally available to end-users and computer support personnel because the methodologies used adhere to a standard of evidence that is admissible in a court of law. It's a hybrid between technology and legal. The process not only includes examination of the computer system but also the means used to access the computer as well as the network that its attached to.

The process involves:

• Identifying sources of documentary or other digital evidence .
• Preserving the evidence.
• Analyzing the evidence.
• Presenting the findings.

Computer forensics experts investigate many types of data storage devices, including but not limited to hard drives, cell phones, digital cameras, portable data devices (USB Drives, External drives, Micro Drives and many more).

When should I use a computer forensics team? If you are concerned that unauthorized people have accessed sensitive data on your computer, then it is time to get a computer forensics team involved. If you feel like anyone including employees, hackers, etc may be accessing or misusing your or your company's sensitive information, then you can not act quickly enough in consulting a computer forensics specialist. The longer you wait, the harder it may be to determine what information was accessed and what was done with it. Plus you give the unauthorized user more time to misuse the information.

Why NetCerto for Forensics?

Staff:

NetCerto's team of investigators and examiners have deep technical expertise in multiple domains. The principal investigators have more than twenty years of system development, information technology consulting, network development, and project management experience each. They have been key engineers in groundbreaking research projects, hold several patents, and maintain an active presence in several relevant professional organizations. All NetCerto examiners hold the Certified Information System Security Professional and Certifed Computer Examiner credentials. The company holds a California Private Investigator license. NetCerto ensures that all of the forensics staff stays current with technology and best practices through ongoing education and internal research projects.

Facilities:

NetCerto maintains a secure, dedicated lab for handling computer forensics cases. Access control systems ensure that only approved staff can enter the facility, and all people, equipment, and evidence is logged in and out per industry standards. Network security for the lab incorporates industry best practices and any systems performing analysis are further isolated by an “air gap” firewall – complete isolation from the building network and the Internet at large. Equipment is regularly updated to ensure the best performance possible to ensure cases are processed efficiently. An ever expanding library of properly licensed software tools, applications, and operating systems is maintained for research and to assist in analysis. Industry standard lab practices are followed to maintain hardware integrity during the examination process.

Documentation and Procedures:

All NetCerto investigations follow well established practices laid down by the industry over many years, which are based, in turn, on law enforcement procedures. NetCerto monitors and contributes to industry efforts to further refine and extend “best practices” and updates the in-house Standard Operating Procedures when appropriate. All of our SOPs are available to any signed clients upon request.

Investigations – more than just forensics:

A proper investigation goes far deeper than a simple recovery of the deleted files of the subject's PC. Subjects and systems do not exist in isolation. Often, the actions of a subject will be recorded on several systems -- the subject's computer, the domain's authentication system, servers, databases, firewalls, and proxies; cell phones and phone systems used by the subject; and remote systems. NetCerto has the know-how to investigate these remote touches, and determine what the subject did and when.

NetCerto acts as if every case will end up in court. Our process will withstand a legal attack -- we establish a chain of custody of the evidence as soon as possible, process it with legally tested tools, and document the process according to industry standards.

Work product:

We provide the following items at the end of every project:

• A forensic analysis report based on National Institutes of Justice standards.
• A presentation of the report to the client to answer questions and to assist with the interpretation of the evidence.
• Suggestions for additional avenues of investigation.
• One or more hard drives containing recovered files and work product, when appropriate.
• Additional consultation by phone, email, or in person as needed.

Resources and partners

Resources:

int for(ensics) {blog;}

Forensics Focus (forum)

Robert Hensing's Blog

Partners:

NetCerto partners with the following companies to ensure that all of a client's needs are met, not just the ones we are capable of servicing.

ITG Consulting