The need for a company to require forensic analysis of its information systems can have many origins. This investigation may arise from a security incident, but it may also be triggered by a suspicion of malicious (or unlawful) behaviour or a notification coming from outside of the company itself.
Whatever the origin of the need, when the decision has been taken to carry out an investigation, a set of actions need to be taken (usually quickly) to preserve as much evidence as possible for analysis. It is thus critical that these actions are performed by specialised and properly trained engineers who will be capable of ensuring not only that critical evidence is not destroyed or lost but also that the overall process is forensically sound and can be used afterwards, if necessary, for legal actions.
On-site acquisition of the physical media may take various forms such as computer hard disk drives, flash drives as well as mobile devices.
Depending on the case scenario as well as on the scope of the desired analysis, it may be critical to also acquire the computer's live memory (RAM) for further analysis. Live memory acquisition is also critical if the computer's hard drive is encrypted as it may be the only element allowing analysts to access the decryption key.
Whatever the media, the acquisition must be fully documented and performed in accordance with best practices to maintain the chain of custody. Once acquired, the forensic images and the corresponding hashes are then securely stored and preserved. Working copies are performed (and their hashes verified) to be used for actual analysis tasks.
The examination and analysis phases (and especially analysis) usually constitute the major and longest part of the assignment. Our engineers are capable of analysing systems based on standard operating systems – Microsoft Windows, Linux based operating systems as well as on common mobile platforms.
Depending on the specifics of the investigation and on the device considered, such analysis includes phases like:
Disk and filesystem analysis
Memory analysis
Timeline analysis
…