© R3 CyberSecurity
After fingerprints Forensic analysis
Jordi Bonete // 21 de agosto de 2018
Many of our clients ask us about the figure of the digital forensic analysis service and in which cases an analysis of this type is carried out. In this article we will try to explain in a simple and detailed way, in what it consists, in what cases it applies, and the reason for it.
WHAT IS FORENSIC COMPUTERS ?
Computer forensics is a discipline that seeks to neutralize the challenges and techniques carried out by computer criminals.
For this, a criminal investigation is carried out on the different digital devices (mobile phones, laptops, computer equipment, storage devices, etc …), in order to clarify the origin, debug responsibilities as well as prevent it from happening again.
WHAT IS A FORENSIC COMPUTER ANALYSIS?
We could define it as a series of techniques that allow extracting relevant information from devices and discs without altering their content. In a way that allows us to find patterns, hidden information and clarify how a certain incident of computer security has occurred.
WHAT ARE THE OBJECTIVES OF FORENSIC COMPUTING?
The objectives could be divided into 3:
1. Make an estimate of what compensation should be for the damages caused by the attackers (whether a worker or a professional criminal).
2. Judicialize the process, so that criminals are persecuted and pay for their crimes.
3. Study the case, and create immediate security measures to prevent the incident from happening again.
WHAT KEY PHASES ARE TO BE CARRIED OUT FOR THE ANALYSIS TO BE CORRECT?
Acquisition of information: This phase is responsible for obtaining information for further analysis, in the case of acquisition of information on a hard disk, this phase consists of making a clone bit by bit of the disk, in order to recover deleted data or visualize hidden partitions.
This information is collected following an order, from more volatile to less, that is, starting with the acquisition of the RAM data and finally making the acquisition of the content that is in the durable storage medium or hard disk.
Preservation: The analysis will always be done on a copy, and the content of that copy must be identical to the original support, you can not destroy or modify information.
In the event that there is the possibility of presenting evidence in court, said copy should be made before a notary or a court clerk. It stores the original device so that once the report is made, and the relevant evidence is provided, it can be demonstrated by a comparison technique (usually comparing the hash signature of the original files with the one of the acquired files), that of unequivocally the information has not been altered, since original and copy have the same hash.
Analysis: In the analysis phase, both hardware and specific software are used to manage different techniques to structure the work and obtain data on what is being searched. It is very important to evaluate correctly the incident and its criticality, as well as which actors have contributed to it.
Documentation: In R3Cybersecurity we prefer to document all the actions that take place since the beginning of the analysis. It is important to follow a correct order that allows us to see in a clarifying way the relationship between the different tests found.
Mainly, it must be ensured that any computer forensic can repeat the tests and analyzes performed in the same way, obtaining identical results. Only then, a digital evidence will be considered adequate and complete.
Presentation: At this point, an expert technical report is made that precisely details all the analysis that has been done, it is important to provide the results and the tests in an irrefutable way without entering into personal assumptions or opinions.
We always rely on demonstrable facts and not on assumptions that can not be demonstrated in a real way.
It is very important to study the case and understand what is being sought. We must ensure that all the steps described are done with sufficient caution and with a notary or court clerk present, of course, if the objective is the presentation of the evidence in court.
From R3cybersecurity we act with the utmost caution, since any error or alteration in one of these phases can destroy all the work carried out and cause serious damage to the client.
Jordi Bonete | Cybersecurity consultant in R3 CyberSecurity
Comparte el post con tus amigos
CON LA CONFIANZA DE
ÚNETE AL EQUIPO
Conoce todas las oportunidades profesionales que te permitirán alcanzar tus metas personales.