Digital Forensics

Digital forensics has existed for as long as computers have stored data that could be used as evidence. For many years, digital forensics was performed primarily by government agencies, but has become common in the commercial sector over the past several years.
Digital forensics has three major phases:

• Electronic Acquisition
• Data Analysis
• Information Presentation

The Electronic Acquisition Phase saves the state of a digital system so that it can be later analyzed. This is analogous to taking photographs, fingerprints, blood samples, or tire patterns from a crime scene. As in the physical world, it is unknown which data will be used as digital evidence so the goal of this phase is to save all digital values. At a minimum, the allocated and unallocated areas of a hard disk are copied, which is commonly called an image.
Cyber Security Works Pvt. Ltd has a dedicated team with extensive research and practical computer forensic experience. Our skilled professionals understand the specific challenges and requirements associated with complex forensic examinations and are experts in the acquisition, preservation and analysis of digital information. The tools used in the acquisition phase to copy data from the suspect storage device to a trusted device do not modify the suspect device and copy all data.
The Data Analysis Phase uses the acquired data and examines it to identify pieces of evidence. There are three major categories of evidence we are looking for:

• Inculpatory Evidence: That which supports a given theory
• Exculpatory Evidence: That which contradicts a given theory
• Evidence of tampering: That which cannot be associated to any theory, but shows that the system was tampered with to avoid identification.

This phase includes examining file and directory contents and recovering deleted content. Our patent pending data analysis technique enables us to search for relevant information, develop insights and analyze the results very quickly. Our technology can perform analysis on digital content from multiple sources in various formats, structured or unstructured. Our techniques allow legal experts to spend more time developing their case instead of searching for information.
Regardless of the investigation setting (corporate or government), the steps involved during acquisition and analysis phases are similar because they are dominated by technical issues, rather than legal processes.
The Information Presentation Phase though is based entirely on policy and law, which are different for each setting. In this phase we present the conclusions and corresponding evidence from the investigation in our patent pending proprietary framework.

Electronic Acquisition

• Evidence collection and preservation
• Analysis of data modification, access and creation
• Intelligent and robust techniques result in faster searches and recovery of information

Data Analysis and Recovery

• Secure data recovery and analysis
• Organize data by categories without requiring prior information about dataset
• Recover data in a fraction of the time when compared to traditional keyword searches
• Discover hidden patterns, relationships and trends

Network forensics

• Collection and preservation of network data
• Preliminary analysis of data integrity
• Network intrusion and incident analysis
• Risk management of network configurations and network data collection
• Detection and analysis of malware (viruses, worms, spyware and adware)

Forensic and incident analysis of compromised machine(s)

• Basic attack mapping analysis
• Preliminary analysis of impact to data integrity as a result of a compromise
• Insider attack detection and trace back
• Recovery of sensitive information

Posted in: Digital Forensics, Penetration, Testing