 |
| What we do... |
|
|
|
Forensic Computer Investigation |
|
|
| General |
|
| Our technicians are former officers from Scotland Yard Economical and Specialist Crime Directorates Computer Crime Unit, the country's premier police unit for computer investigation, and have many years experience in obtaining information that the customer thought was lost and gone. |
|
| Digital Evidence |
|
Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on, but can be other sources as well.
Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken. For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated.
Other specific practices we are using in the handling of digital evidence include:
* Imaging computer media using a writeblocking tool to ensure that no data is added to the suspect device.
* Establish and maintain the chain of custody.
* Documenting everything that has been done.
* Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.
|
|
Methods |
|
There are many reasons to employ the techniques of computer forensics:
* To recover data in the event of a hardware or software failure.
* To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
* To gather evidence against an employee that an organisation wishes to terminate.
* To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law. One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court. In order to comply with the need to maintain the integrity of digital evidence, British examiners comply with the Association of Chief Police Officers (ACPO) guidelines. These are made up of four principles as follows:-
Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. |
|
| Please contact us for a discussion about your Forensic Computer needs. Click here to contact us.
|
|
|
|
