• Register
Home  //  Infosec Computer Forensic  //  Data Analysis & Recovery
Data Analysis & Recovery
PDF
Print
E-mail

An important component of the broader electronic-discovery process is the forensic analysis and investigation of recovered data. Forensic analysis is as much an art as it is science. Each case presents unique challenges, and the facts can often be hidden in plain sight. The objective of computer forensic analysis is to determine the facts, as recorded on computer systems and electronic media, in an efficient and non-biased manner. It involves following the chain of evidence as it unfolds. Computer forensic analysis goes beyond the initial investigation to include:

Ensuring that electronic evidence is admissible in a court of law;

Searching for relevant information and determining history, authentication and origin of electronic documents;

Using electronic data to reconstruct events or substantiate allegations and claims;

Minimizing the impact of spoliation;

Linking evidence together to prove the case;

Preparing evidence for litigation support, including deposition and expert witness testimony.

Types of computer forensic analysis include:

Disk Forensics: The process of acquiring and analyzing the data stored on physical storage media (computer hard drive, cell phones, PDAs, removable media, etc.). Disk forensics includes both the recovery of hidden and deleted data and also file identification, the process of identifying who created a file or message.

Network Forensics: The process of examining network traffic, including transaction logs and real-time monitoring, using sniffers and tracing.

Internet Forensics: The process of piecing together where and when a user has been on the internet or internal company network. This is used to determine whether inappropriate Internet content access and downloading was accidental or not. It is also used to determine if sensitive information was emailed inappropriately using a personal email account.

Email Forensics: The study of source and content of electronic mail as evidence. It includes the process of identifying the actual sender, recipient, date, time and location and email originated from. Email has become a significant issue for individuals and organizations. Harassment, discrimination or unauthorized activity violating company policy can be identified via email forensics.

Forensic analysis requires specialized skills and training. Computer Forensic Services, Inc.'s expert forensic examiners include federally trained analysts who specialize in and have developed extensive techniques for processing computer evidence.

Proactive Forensic Investigation

Often, the computer forensic investigation is the early "quick peek" discovery, and analysis of computer evidence performed is before a situation escalates. Often, Human Resource specialists or internal legal counsel initiate it when a situation has the potential to become more involved. The objectives of proactive forensic investigation include:

Capturing sensitive computer information and preserving electronic evidence;

Performing a preliminary investigation to determine the veracity of allegations or if company policy has been violated;

Ensuring the confidentiality of the process and impartiality of the investigator;

Minimizing risk and the potential cost of downstream actions.

Discovering the facts early, before a situation becomes unmanageable, saves time and money. Proactive forensic investigation is a unique tool that should be in every organization's toolkit.

Should the IT Department do the Analysis?

In the electronic-discovery process, the methods used to obtain relevant data are as important as the data itself. The process should be viewed from the beginning as a preparation of evidence that will survive the scrutiny of a courtroom. Issues with internal IT resources conducting the investigation include:

Internal IT resources may not be perceived as objective since they are employed by a party involved in the case;

Any curious "peeking" at the evidence could be construed as tampering and could result in files being altered from their original state;

Individuals involved in the investigation could be called upon to testify as expert witnesses: an experience for which they are likely unprepared;

The chances of spoliation and evidence contamination increase when proper forensic techniques are not applied;

Confidentiality: Will there be "water cooler talk?"

Effective forensic analysis and investigation is most effective when conducted by an impartial, third party with the necessary technical and law enforcement background.

 

Follow us on Twitter

Thanks for visiting us today

mod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_counter
mod_vvisit_counterToday54
mod_vvisit_counterYesterday238
mod_vvisit_counterThis week634
mod_vvisit_counterLast week1050
mod_vvisit_counterThis month2112
mod_vvisit_counterLast month3764
mod_vvisit_counterAll days759975

Our partners in technology

Scroll Up