FAQs
You may have some questions on forensic IT as below.
|
- What is forensic IT?
- What evidence can be found in a computer?
- Who needs computer forensic and when?
- There has been violation of corporate policies in our organisation. We are not sure who is involved and the extent of such violation. What can we do?
- We suspect some irregular activities in one of our overseas offices but we don't have a full picture yet. What should we do?
- We have been involved in a litigation pertaining to intellectual property piracy. How can we secure our position?
- We heard that deleted files might be recoverable. We want to dispose of our old computer systems, what precautions should we take?
- Our computer personnel keep a regular back up of our system data already. All electronic evidence should be intact. Why do we still need computer forensic imaging?
- Our organisation has a water-tight computer security system which employs authentications, encryptions, firewalls, VPNs, smartcards, and even biotechnology. All of our system administrators are well-trained and highly-qualified. How can computer forensic add value for us?
- Some of our key employees are leaving. How can we ensure that our corporate assets are not being compromised?
- What should be the immediate action when I suspect an incident involving a computer system has occurred?
Also known as computer forensic, it involves preserving, recovering, analysing, and presenting electronic evidence in a court-admittable fashion
Top
2. What evidence can be found in a computer?
Generally, potential evidence includes:
(a) active and deleted files
(b) graphics, audio and video
(c) emails
(d) programmes
(e) Internet activities and browsing history
(f) downloads
(g) user-defined setting and recently accessed/modified file
(h) virus and hacker intrusion
(i) hardware configuration, etc.
Top
3. Who needs computer forensic and when?
Companies suffering from fraud or security breach by internal or external parties or seeking ways to monitor work flow and business processes.
Professionals engaged to investigate fraudulent or illegal transactions, e.g. money laundering.
Individuals and organisations requiring recovery or extraction of forensically sound evidence from digital media for inquiry, negotiation and litigation.
Law enforcement agents seeking evidence to support litigation against offenders.
Solicitors and counsel, in the process of e-discovery and when expert witness evidence is sought.
Top
4. There has been violation of corporate policies in our organisation. We are not sure who is involved and the extent of such violation. What can we do?
Identifying prime suspects and filtering critical evidence are always a challenge but most essential in any type of investigation. Unstructured investigation will not only disrupt business operations, but also easily overlook critical evidence. Our forensic IT specialist can investigate and identify the potential offenders and the extent of the violation in a timely and confidential manner, allowing management to make proper and informed decisions.
Top
5. We suspect some irregular activities in one of our overseas offices but we don't have a full picture yet. What should we do?
International companies always face the challenge of effective monitoring and control over their subsidiaries and overseas offices. In the past, investigations usually required physical visits. If an incident involves multiple locations, the investigation process will inevitably be time consuming and costly. Considerable amounts of time and resources could have been consumed even before the scope of the incident is made clear. Besides, the investigation is often reactive and the suspect is likely to be alerted prematurely.
We have the ability to perform cross-network investigation. It means that we are capable of examining a suspect's machine and collecting evidence without any physical on-site visit. The approach allows our clients to assess the scope of an incident before deploying any full-scale investigation. Our target-oriented investigation approach effectively minimises time and cost and no business operation of our clients will be compromised.
Top
6. We have been involved in a litigation pertaining to intellectual property piracy. How can we secure our position?
Intellectual property usually contains unique electronic fingerprints, such as metadata and source code. These fingerprints can be used to prove or disprove a case. Our forensic IT specialist is able to extract and examine such electronic evidence and match them against those in question, and offer solid expert witness opinion in court. Our forensic team is also committed to helping our client to meet critical deadlines imposed by courts or regulatory authorities.
Top
7. We heard that deleted files might be recoverable. We want to dispose of our old computer systems, what precautions should we take?
Data residing in a hard disk can survive deletion, formating and partitioning. In fact, they can be recovered by using specialised forensic tools. Therefore, before a computer is disposed of or donated to a charity, its hard disk should be forensically wiped to prevent sensitive business information or trade secret from leakage. Our Forensic IT team can help clients minimize such a security threat.
Top
8. Our computer personnel keep a regular back up of our system data already. All electronic evidence should be intact. Why do we still need computer forensic imaging?
There are a number of differences between taking a back up and a computer forensic image. To highlight a few:
(1) A conventional back up will retain active files and data only, but will not access the unallocated (or "deleted") space of the source hard disk drives (which includes deleted and partially overwritten information). In contrast, a forensic imaging not only looks at the active files, but also all deleted space which often holds important information.
(2) Forensically acquired evidence can be used in a court of law and the specialist procedures along with the forensics tools surrounding computer forensic acquisitions have been scrutinised and are accepted by many courts worldwide.
(3) Traditional IT back up does not provide any method of verification back to the original evidence and therefore is subject to legal challenge.
(4) The process of forensic imaging is well-documented, which is crucial for litigation purposes but uncommon for a regular back up.
Top
9. Our organisation has a water-tight computer security system which employs authentications, encryptions, firewalls, VPNs, smartcards, and even biotechnology. All of our system administrators are well-trained and highly-qualified. How can computer forensic add value for us?
Companies encounter security breaches, such as employee malfeasance, embezzlement, computer misuse, destruction of records, hacking, identity theft, etc. Fortified security system can reduce the number of attacks or abuses, nevertheless such breaches are almost impossible to eliminate. For example, after investing a considerable amount of money to upgrade its financial reporting system, the management of a company proudly assured their auditors of zero flaws in the new system. However, using a forensic analysis tool, within a few hours the auditors were able to identity hundreds of notable transactions involving millions of dollars, forcing the company to thoroughly scrutinise and reconsider its security system and policies.
Most system administrators do not have formal training in computer forensic methodology. Using untrained technicians to perform forensic procedures is a high risk, much like asking a cardiac surgeon to perform an ad hoc brain operation. Computer evidence is highly volatile and the investigation process must be well thought-out and well-documented, therefore only trained forensic expert should be engaged to perform such tasks.
In addition, in litigation a company must address the issue of independence raised in the court process. Forensic evidence recovered and presented by an independent expert witness in an unbiased fashion carries the weight to prove or disprove cases. The same is also true in arbitration and mediation.
Top
10. Some of our key employees are leaving. How can we ensure that our corporate assets are not being compromised?
As a measure to protect business assets, many organisations have a policy to examine leavers' computers and work flow before or after their departures. Such exercise should be conducted in a forensically sound manner otherwise disputes may arise. The proper practice is to forensically image the hard drive of the leaver's computer. Any examination should use the imaged drive only because direct access to the original computer will alter evidence.
Top
11. What should be the immediate action when I suspect an incident involving a computer system has occurred?
The immediate action depends on the situation. The forensic approach towards a computer in a stand-alone environment is very different from that in a network. As a general rule, one should avoid directly examining or using the suspect's computer. It includes even turning it on or off as the action of pushing a button alone will immediately alter hundreds of files under a Windows environment. Browsing and opening files from a suspect's computer is even more devastating as it will contaminate critical evidence such as the date/time stamp. It can also trigger any destructive commands implanted by the suspect. Such damage can be permanent and irreversible.
In normal circumstances, a good practice is to forensically acquire the hard disk drive of the suspect's computer into a sterilised drive. Any analysis should be performed on the imaged drive only while the original is kept in a secured location. The processes of acquisition and analysis must be properly documented. Trained forensic specialists have the knowledge and skills to advise on incident response and will be able to perform the above tasks in a court-authenticated manner. Therefore, the rule of thumb is to consult a forensic specialist as soon as an incident has occurred.
Top
