Computer Forensics

WHAT IS COMPUTER FORENSICS?

Computer forensics otherwise known as "digital forensics" is a process of electronic discovery to acquire digital evidence, analyse facts and report on a case by examining digital devices such as computers, hard drives or any other storage media or network conducted by a suitably trained computer forensic analyst in order to investigate a claim or allegation.

Computer forensics involves 4 basic steps:

1. Acquisition and collection of data
2. Examination
3. Analysis
4. Reporting

The forensic investigator must be suitably trained to perform the specific type of investigation requested by the client who can be a solicitor, private detective, company manager, prosecuting agent or law enforcing agency. A computer forensic specialist will initially examine each computer forensic case to determine the complexity level of the case so that an appropriately trained digital forensic investigator or team of investigators is assigned to the job. It is at this level that all the costs, logistics and duration of the investigation is determined and communicated to the client. Depending on the case, there may be a charge for the initial assessment which will be agreed at the time of the computer forensic service inquiry.

Acquiring and Collecting Digital Evidence

Digital evidence can be collected from many sources. Obvious sources include computers, mobile phones, digital cameras, hard drives, CD-ROM, USB memory sticks and so on. Non-obvious sources include RFID tags, and web pages which must be preserved as they are subject to change.

We will take special care when handling computer evidence: most digital information is volatile can be easily changed, and once modified, it is usually difficult to detect the changes or to revert the data back to its original state. For this reason, we will carry out and calculate a cryptographic hash of digital evidence and record that hash in a safe place to prevent any digital evidence contamination. This is essential as the computer forensic investigators will be able to establish at a later stage whether or not the original digital evidence has been tampered with since the hash was initiated and calculated.

Imaging electronic media evidence

As an initial stage of our computer forensic investigation, we may have to create an exact duplicate of the original evidentiary media. We use a combination of standalone hard-drive duplicators or software imaging tools so that the entire hard drive is fully cloned. We will do this at the sector level, making a bit-stream copy of every part of the user-accessible areas of the hard drive which can physically store data, rather than duplicating the file system. We will then transfer the original drive to secure storage to prevent any tampering. During the imaging process, we will use a write-protection or write-blocking device or application to ensure that no information is introduced onto the evidentiary media during the computer forensic investigation process.

We have team of trained forensic investigators to perform the specific type of investigation requested by the client who can be a solicitor, private detective, company manager, prosecuting agent or law enforcing agency.

Cyber Law Consulting provides following services:
  • Data Acquisition of Hard disk / Digital Storage Media
  • Deleted, partially overwritten or formatted data recovery from hard disk
  • Email Forensics
  • Forensic examination of Internet access
  • Analysis of Encrypted / Password Protected data
  • Forensic Analysis of data from Central processing units, internal and peripheral storage devices
  • Such as fixed disks, external hard disks, floppy disk drives and diskettes, tape drives and tapes,CDs, DVDs, USB Devices, digital cameras and digital storage media, operating logs, software and operating instructions or operating manuals, computer materials, software and programs used to communicate with other terminals via telephone or other means, Network Logs etc.
  • Incidence Response, on-site support and Evidence Processing
  • Networking device logs examination
  • Malware and Volatile Memory analysis
  • Steganography decoding services
  • Expert Testimony