I’ve been in the technology business for over fifteen years. And in that time, I've learned that computer forensics is the subject of much confusion. In fact, people have so many misconceptions about computer security, privacy and computer investigations in general that I decided to offer this educational page. So when you select a digital forensic solution provider, you can make an informed intelligent decision.
In just a moment, I’ll share 5 little forensics misconceptions that could be devastating to your company financials, security and reputation.
Plus, I'll offer 4 recommendations that will be of great use if you are faced with a crisis and need to take action immediately.
Want to talk about computer investigations and incident response? Need additional manpower in your team in Canada or internationally? I am ready to help. Use the form to contact me:
IMPORTANT: I WILL NOT and CANNOT HELP YOU WITH ILLEGAL OR UNETHICAL ACTS. This form is not secured, do not send personal information.
#1 INVESTIGATIONS ARE SLOW
No it shouldn’t. Not so long ago, all we could do was take a full image of a computer, go back to a lab, and run a very long scan. It could take days, weeks, even months to complete! The analyst would only start to look at the results days later! This is simply too long and inefficient.
New approaches to forensics, coupled with advances in research and technology, allow a trained computer examiner to answers your questions in hours.
#2 COMPUTER INVESTIGATIONS ARE EXPENSIVE
Not necessarily. Many businesses consider digital forensics to be out of reach. It used to be that an examiner would invariably be dispatched at the customer site and would start collecting computer images, one station at a time. At an hourly rate close to those of lawyers, this method is cost prohibitive. Recent development in digital investigation now allow analyst to remotely perform an investigation on multiple computers at a time. This new method can significantly improve speed and reduce the cost of the investigation.
#3 OUR I.T. DEPARTMENT CAN TAKE CARE OF EVERYTHING.
Maybe, but only if they are rigorously trained in protecting the evidence and respecting the chain of custody. As soon as the potential for a civil, or criminal complaint is discovered, your I.T. department should withdraw and you should immediately involve your counsel and a Certified Forensic Examiner. You do not want to run the risk of destroying the evidence by having your I.T poke around and you can’t be sure that they are not involved in the incident. It is best to remove all doubt and bring somebody not potentially emotionally involved with the case.
#4 EXAMINERS ARE NOW USELESS.
It might seem that with all that technology, one could only press a button on a computer and receive a full report in seconds. The fact is that the most complete investigation still has a large manual analysis component. Research on computer operating systems is ongoing and new artefacts are discovered every month. The automated tools just can’t follow this rapid cycle of technological updates.
An analyst job is not to simply recover artefacts. To make sense of the collected artifacts, to determine what really happened, you still need a trained certified forensic analyst.
DO NOT PULL THE POWER PLUG! - DO NOT SHUTDOWN THE COMPUTER!
In 2015, it is inconceivable that the old custom of pulling the plug is still being used. Instruct your personnel to NOT pull the power plug of a computer to be investigated. Because of changes in hard disk hardware, notably the SSD technology, pulling the plug will actually damage the equipment and possibly ruin the evidence. In addition to the real risk of destroying the hard drives, mistakenly pulling the plug will prevent the gathering of very precious evidence from the volatile RAM memory.
Computer forensic investigators that are trained with the new recommendations can instruct your personnel in the appropriate methods of RAM memory imaging.
ALWAYS CHECK FOR THE PRESENCE OF ENCRYPTION.
Ordinary citizens are getting more and more educated in the use of encryption. Before powering down a system suspected of having been used to commit malicious activities, make use of this free tool to check the system for the presence of encryption. If encryption is detected, do not power-off the system. Ask your IT department to image the memory and perform a logical imaging of the file system, before powering down the system. It is preferable to contact a professional. Forensics will be greatly hampered, if the disk is encrypted, when proper measure are not taken.
GET KNOWLEDGEABLE COUNSEL INVOLVED EARLY.
Not all counsel is knowledgeable in computer investigation and the admissibility of digital evidence. Forensic examiner are not lawyer, they cannot give legal advice. You might have hired the best computer forensic examiner, but if your counsel does not understand computer crime investigation, you might possibly receive erroneous advice or your counsel might not know what to do of the evidence recovered from the digital investigation.
HIRE A TRAINED FORENSIC EXAMINER.
Technological advances and new discoveries in the field of computer forensics makes it very important to select an investigator that is updated on the latest in operating systems artifacts. Performing an investigation with a simple list of keywords is not going to cut it in 2018.
I was the lead investigator in a fraud and theft inquiry that spanned several months and involved examining the computer activities of several former canadian employees. The findings of my investigation were used for a civil case and lead to the suspects admitting to the allegations. My presence was still requested in court and I had to present my evidence in person. This experience furthered my interest in computer security and I decided on my own to pursue formal education in the field of computer investigations.
I value education and do not hesitate to invest in additional skills. In the past I studied for various certifications such as the CCNA, Network+, Windows Server 2008. I am now dedicating myself to the computer investigation and security field.
SANS Institute – Digital Forensics & Incident Response
- Windows Forensics Analysis FOR500
- Passed the GIAC Certified Forensics Examiner certification (GCFE) and the GIAC Certified Incident Handler certification (GCIH)
- Member of the GIAC Advisory Board
Certified Information Systems Security Professional: CISSP
Offensive-Security Certified Professional : OSCP
Justice Institute of British-Columbia JIBC : Investigations & Enforcement
Vulnerability Assessment, Investigations:
Kali Linux, OpenVas, Nessus, Maltego
What can I do for you?
What is Computer Forensics: The use of specialized techniques for recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. (1)
1. Definition from the THE SEDONA CONFERENCE GLOSSARY: E-Discovery and Digital Information Management (FOURTH EDITION).
Type of Cases I Can Help Solve
- Intellectual Property Theft
- Computer Fraud investigation
- Employee Flight Risk
- Industrial Spying
- Theft of Time
- Workplace Harassment
- Computer Hacking
- Vulnerability Assessment