IT Forensic evidence assurance of rights violations
In order to carry out a forensic analysis and to obtain subsequent court recoverability upright, some things are to consider bevor securing a system:
- The original evidence should be "moved" as little as possible. Every "movement" of evidence can have a direct impact and falsification as a consequence . "Movement" means the security of any kind of physical or logical access to the evidence. Our clients have to undertake all necessary measures to maintain data integrity upright: Securing the device / evidence, Aktions which do prevent the device from beeing powered (custody in safe environment)
- The chain of evidence has to be untouched. This insists and demands a properly and extensivly documentation.
- Personal knowledge never has to be overestiminated. The inclusion of different experts on specific topics (e.g. data recovery) has to be considered.
Method of IT Forensics / Computer-Forensics
To carry out an analysis, in the context of IT-Forensic / Computer-Forensic, a fixed method is mandatory. This method is seperated into:
- Identification - Which devices are under initial suspicion
- Seize / Collecting suspicious devices - Seizing and access protection of the suspicious devices
- Analysis / Diagnosis and integrity of data - Generating a forensic copy in a way that it applies to the court standards - Subsequent analysis based on forensic copy.
- Presentation / Preparation - Creation of forensic analysis and, if necessary, a detailled forensic report.
Within these processes, the fundamental question is to answer the following questions regarding the facts which lead to the forensic investigation:
- Who – Who changed or deleted data ? Which people were present and participated in the alledged rights violations ?
- When – Date and time ?
- Why – Why changes, movements and / or deviations have been taken place ?
- Where – Exact place of incidence ?
- What – What has been done exactly ?
- How – How was the procedure and what kind of tools have been used ?
In this part of the process, the starting point is to be shown, the main activitie is the most accurate documentation of the found situation. In addition to the inventory of the actual security incident and first presumptions, necessarily more questions for further investigation have to be clarified. Followed by a structure as to which forms of evidence to the parties are accessible. Does the evidence contain a special form of file characteristics like log protocolls ? Is the evidence stored on a special form of non volatile data carriers ? Further more it has to be documented where the evidence ist stored, containing the environments in with the evidence is existing, like Operating System, etc.
At the End, a checkup has to be done focussing the basic facts with the goal to find a descision about the ways for gathering the evidence (Relevancy). The special attention to the question of a backup method (backup) must be clarified. In the following process step you will encounter non-volatile (eg. As data stored hard disks) and volatile data (eg., Data in RAM), there the evidence is stored on. The right method has to be taken in order to generate a forensical back up of thease kind of data carrier. At this poing the question of a possible external assistance plays an important role.
Seizing / Collecting the evidence(s)
This step involves the actual Evidence assurance for potential suspicion of violations of law. Using the already introduced question matrix in this process, the integrity of digital evidence and maintaining the chain of evidence, are the central tasks. Usually this means the generation of a forensic backup of the data carrier. For this purpose storage media should be used which can only be written once, if possible. The use of cryptographic methods to digitally sign proof data should be checked and if possible be applied in order to ensure the integrity of data.
In this process, there is always a crucial question: Is the affected IT system down due to the hazardous situation or can be operated on ? This question is of central importance, because in the upcomming steps some questions can appear: Does the RAM have to be dumped and which kind of role had the machine within the network, etc. In the case of switching off the volatile data carrier, storage information on carrier would be lost. This needs to be kept in mind.
After the relevant evidence data are collected and safely housed in appropriate media, a first anlysis follows. Necessarly all-round knowledge covering the topologies of networks, applications, actual and known system vulnerabilities and an high skill of improvisation is required at this point. Especially at this point, organisations and enterprises should think about consulting external professional. The required knowledge is beyond the administration of networks or different types of operating systems and needs programming knowledge, close to the level of operating systems. A successful it forensic analysis is always depending form the right interpretation of the events analysed. The purpose of the analysis is illustrative and examination of evidence, assessing the causes of the incident and the operation of the occurred incident. The analysis will typically never be berformed on the primary system and instead requires a more detailed documentation than in the previous steps.
Preparation and presentation
In the last step it is about to prepare the people involved in the analysis of their findings in a report. Here, the report on the fundamental motivation of an investigation is to be agreed. This can be summarized in the following points:
- Determining the identity of the perpetrator / perpetrators,
- Analysis of time indeed (creating "Timeline"),
- Determining the scope of the act,
- Determining the motivation of the act and
- Determine the cause and the way of implementing it
Whether or not all of the points clarified completely, depends both on the existing evidence as well as the quality of the analysis.
The expected costs depend on the complexity of the initial suspicion. It is understandable that the analysis of a notebook hard drive requires a lower cost, as the analysis of deletion scenarios across multiple servers. Because of this the costs orient at the working hours necessary to analyse the event itself. An average it forensic analysis of individual disks for commercial and enterprise customers is offered between 1,000 - 3,000 euros net. plus VAT. KUERT addresses its forensic services exclusively to small and medium enterprises. For more information, simply call, our staff will be glad to help and assist you.