Digital Forensics
Digital forensics can be defined as the application of scientifically derived and proven methods to the preservation, validation, identification, extraction, analysis, interpretation, documentation and presentation of evidence derived from digital sources for use in legal, investigative or administrative processes. In layman’s terms, it is the investigation of computers, mobile phones, electronic devices, or any type of digital media (such as a memory card or hard drive) believed to used in illegal or unauthorized activities – in order to establish what happened, when it happened, how it happened, and who was involved. The investigation must be conducted in such a way as to preserve the integrity of the evidence, comply with rules of evidence and chain of custody, legal processes and procedures. In addition, any findings of the investigation must be based on scientifically proven techniques and methodology, and should be replicable (i.e. another forensic examiner should be able to duplicate your examination and produce the same findings).
Digital Forensic Investigations
Intertel’s digital forensic services comprise the following:
- 1Digital forensic investigations
- 2eDiscovery and litigation support
- 3Data recovery and reconstruction
Who would require digital forensics?
Digital forensics could, for example, be used to investigate the theft of intellectual property or proprietary information, fraud or embezzlement, the unauthorized access to or use of company resources, computers, networks, mobile devices etc.The findings of such an investigation would likely be used as evidence in disciplinary hearings, and possibly civil or criminal proceedings. In criminal investigations, digital forensics is obviously instrumental in gathering evidence of computer crimes such as child pornography, cyber terrorism, online fraud, cyber stalking, forgery and identity theft. Digital forensics has countless applications in both the public and private sectors, for individuals, businesses, organizations, agencies and governments.
Some of the more common applications are in the investigation of:
- Unauthorized access
- Copyright infringement
- Intellectual property theft
- Data theft
- Deliberate data destruction
- Computer or mobile phone misuse
- Inappropriate internet use
- Identity theft
- Counterfeit software
- Employee fraud
- Embezzlement
- Extortion and blackmail
- Harassment and sexual harassment
- Cyberbullying and cyberstalking
- Money laundering
- Financial crimes
- Regulatory compliance
- Child pornography and grooming
- Collusion and insider trading
- Bribery and corruption
In addition, digital forensics is able to:
- Determine the date a document was created
- When and by whom a document was altered
- Validate the authenticity of a document in dispute
- Recover and retrieve deleted data
- Verify the authenticity of emails in dispute
- Provide litigation and dispute resolution
- Extract data to comply with regulatory disclosure
- Preserving data during litigation or electronic disclosure
- Secure data for insolvency or business recovery
What sort of tools are used in digital forensics?
- HELIX & CAINE
- Paraben
- WinHex/X-Ways Forensic
- NetAnalysis and HSTEX
- Simple Carver Suite (SCS)
- Internet Evidence Finder
- LiveView, VFC and Mount Image Pro (and VMWare)
- C4P and C4M
- Setup API Extractor
- Event Log Explorer
- O&K Printer Viewer
- ISO Buster
- Link File Extractor
- CookieView
- DCode
- CacheBack
- Lophtcrack
- MetaData Assistant, MetaData Analysis, MetaData Extractor
- RAID Constructor
eDiscovery and Litigation Support
Discovery is the process of identifying, preserving, collecting, reviewing, analyzing and producing information during civil legal actions. The goal of discovery is to obtain information that will be useful in developing relevant information for pre-trial motions and for the trial itself. Information sought during discovery can include documents, testimony and other information deemed necessary by a court. eDiscovery is simply the extension of the discovery process to information that is stored electronically and includes email, instant messages, word processing files, spreadsheets and other electronic content that may be stored on desktops, laptops, file servers, mainframes, smartphones, employees’ home computers or on a variety of other platforms.
- Identification is used to identify potential sources of relevant information. These sources may include business units, people, IT systems and paper files.
- Preservation entails promptly isolating and protecting potentially relevant data in ways that are: legally defensible; reasonable; proportionate; auditable; and which mitigate risks.
- Collection is the acquisition of potentially relevant electronically stored information and its meta mata.
- Processing involves the cataloging of data and meta data, the formatting, conversion and restoration of data, and the reduction of data by defensible selection.
- Review is a critical component to most litigation and is used to identify responsive documents to produce and privileged documents to withhold.
- Analysis is primarily concerned with understanding the circumstances, facts and potential evidence in a litigation or investigation.
- Production involves preparing and producing electronically stored information in an efficient and usable format, and in compliance with agreed production specifications and timelines.
- Presentation is the diplaying of electronically stored information before audiences, to elicit further information, validate existing facts or positions, or to persuade an audience.
Data Recovery and Reconstruction
Intertel offers two types of data recovery.
- 1Acquisition of data from a working computer, laptop, tablet or mobile phone
- 2Recovery of data from a damaged, failed, corrupted or inaccessible storage device or media
Intertel’s Data Recovery Capabilities
- Recovery of deleted or lost partitions and files
- Recovery of lost and deleted emails (all formats and platforms)
- Recovery of accidental and erroneously formatted storage media
- Recovery of damaged or corrupted data stored on various storage devices
- Recovery of data from extensively physically damaged storage devices
- Recovery of corrupt Microsoft Office documents and Outlook PST files
- Recovery of data from damaged storage devices due to environmental damage
- Recovery of virus-damaged files
- Hardware recoveries and “Open drive recoveries”
- Resolution of RAID system Failures (Raid 0-5)
The following operating systems, drives and storage media can be processed for data recovery:
Operating Systems | Storage Drives | Storage Other |
DOS | SATA drives | iPods (HDD Mode) |
Windows (all) | SCSI drives | Flash Cards |
Linux | IDE drives | Smart Media |
Unix | 1.8″ drives | Memory Sticks |
Novell Netware | 1.1″ drives | Floppy Disks |
Mac OS | SAS drives | CD/DVD |