Information Systems Forensics Frequently Asked Questions
- What is “Information Systems Forensics”?
- What forms of digital media devices can potentially hold data?
- Can deleted emails be recovered?
- Can deleted files be recovered?
- I think that a computer in my company may contain important evidence. What do I do?
- I think that a cellphone in my company may contain important evidence. How should I handle it?
- What are the drawbacks to not calling an Information Systems Forensic expert immediately?
- How does Information Systems Forensics differ from data recovery?
- What types of data do you focus on in your investigations?
- How does the Information Systems Forensics process typically work?
- What do I receive after a computer investigation
What is “Information Systems Forensics?"
Information Systems Forensics, sometimes called Computer Forensics, or Cyber Forensics is a scientific examination that includes the identification, collection, preservation and analysis of all forms of Electronically Stored Information (ESI), also known as digital information, in such a way that the information obtained can later be used as evidence in a court of law. This digital information (for example: email messages, digital images, network log files, etc.) can be found on computer hard drives, servers and other digital storage media (thumb drives, DVDs, CD-ROMs, smartphones). It can include any device that has memory to store information. Information Systems Forensics is used to create a digital image of the ESI, therefore the examiner can later look for digital evidence on the acquired media and attempt to re-create a time-line of how the data was used in relation to the matter under investigation. Information Systems Forensics is a specialized service that provides and documents digital evidence for possible use in litigation. A forensic investigation is highly disciplined and the results can be repeated and proven to be accurate, which is crucial for any digital evidence to be admissible in court. Top
What forms of digital media devices can potentially hold data?
-
- Computers
- Apple and Android Tablets
- Smartphones and Most Other Mobile Phones
- MP3 Music Players, iPods
- Hard Drives
- Digital Cameras
- USB Memory Devices
- PDAs (Personal Digital Assistants)
- Backup Tapes
- CD-ROMs & DVDs Top
Can deleted emails be recovered?
Deleted emails can usually be recovered, but there is no guarantee. Much depends on the various factors of the situation. For example, if the email files have not been completely overwritten, then they should be recoverable. However, if they have been partly overwritten, the probability is lessened. Additionally, if the file was fragmented before it was deleted, recovery may be very difficult, but it is possible. Top
Can deleted files be recovered?
There is a very good chance that an Information Systems Forensic investigator can recover deleted files from a hard drive. When a file is deleted using standard methods, the contents of the file are not erased from the hard drive. Contrary to popular belief, digital files are not completely gone when the delete button is pressed, and therefore, such files are usually recoverable and usable. Top
I think that a computer in my company may contain important evidence. What do I do?
Most importantly, a few things you should NOT do: Do NOT use the computer or attempt to search for evidence, as any further use of the computer may damage and taint any evidence that might exist on the device. Do NOT turn it on. If the suspected computer is turned off - leave it off. If the computer is on, Do NOT go through a normal “Shut Down” process. If you must shut down the computer, unplug it from the back of the tower or the outlet. Do NOT type on the keyboard or move the mouse. Do NOT allow the internal IT staff to conduct a preliminary investigation. Do NOT remove any USB Drives / Devices, SD cards, or other devices that are connected to the computer. Now a few things you should always be sure you DO: Do store the computer in a secure place, and if possible secure the area in which the computer is located. Do keep a detailed log of
- who had/has access to the computer
- what was done, if anything
- when was it done
- where the computer been stored since the incident
Do photograph the screen if the computer is “on” and something is displayed on the monitor. Do Contact Us immediately. Top
I think that a cellphone in my company may contain important evidence. How should I handle it?
Cell phones, iPads, digital cameras and other mobile devices store data directly to internal solid state memory that is often more volatile, and can be lost when the device is shut off or the battery is depleted, or removed. Please follow these guidelines to secure these devices for future examination: If the device is “off”, do not turn it “on”. If the device is on, leave it on. Shutting down the device could enable password, thereby preventing access to evidence and / or result in the loss of data evidence. Photograph device and screen display, if available. Label and collect all cables and transport with the device. Keep the device charged. If the device cannot be kept charged, analysis by a specialist must be completed prior to battery discharge or the data may be lost. Document all steps involved in the seizure of the device and its components. Top
What are the drawbacks to not calling an Information Systems Forensic expert immediately?
It is essential to understand that the operating system of a computer continually overwrites data on the hard drive, and does so in a random pattern. This means that the longer a computer is used, the more likely it is that evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously. So if the data is overwritten in one area, it may still reside in another. However, it is impossible to tell whether the data that is most important to you will survive the constant use of the computer. It’s true that the simple act of turning the computer on or looking through files can potentially damage the very data you’re seeking. The file creation dates can change, files can be overwritten, and evidence can be corrupted. But all of these risks can be lessened by contacting an Information Systems Forensics expert immediately, and acquiring an image of the computer as quickly as possible without destroying or altering any valuable evidence. Top
How does Information Systems Forensics differ from data recovery?
The goal of data recovery procedures is solely to recover the files and folders lost from damaged disk drives, media, computers, peripherals or operating systems due to disk or system failure, unintentional deletion, or other unexpected circumstance, without monitoring the usage of the device. Generally, data recovery could be considered the first step in gathering evidence in a computer forensics investigation. When digital media is imaged, an exact replica of the original is created that includes all files and folders along with any deleted data. Also, the ability to view any hidden or un-partitioned space is gained, as well. Information Systems Forensics is a service that is concerned with providing evidence, or proving a lack of evidence, regarding how a computer was used, what files were accessed and at what time, and who had accessed them. Information Systems Forensic investigators are able to find, assemble, analyze, and explain large amounts of digital information that would not be particularly helpful for data recovery services, but are invaluable in a court of law. Top
What types of data do you focus on in your investigations?
In computer forensics, there are three types of data that we are concerned with - active, archival, and latent.
- Active data is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
- Archival data is data that has been backed up and stored. This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.
- Latent (also called ambient) data is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten. Top
How does the Information Systems Forensics process typically work?
The first step is to clearly determine the purpose and objective of the Investigation. Then they will secure the subject system from tampering or unauthorized changes during the investigation. Next, the investigation discovers all files on the subject's system. In many cases, information gathered during a computer forensics investigation is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files (known by computer forensic practitioners as slack space). Special skills and tools are needed to obtain this type of information or evidence. Then, the investigation copies, protects and preserves the evidence from any possible alteration, damage, data corruption, or virus introduction that may render the evidence inadmissible in court. Then, the investigation recovers all deleted files and other data not yet overwritten. A deleted file will remain resident on a hard drive until the operating system overwrites all or some of the file. Therefore, in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten. Finally, the investigation includes an analysis of all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file. Top
What do I receive after a computer investigation?
The computer forensic expert will provide a detailed report that explains the:
- Processes taken in acquiring and securing the electronic evidence
- Scope of the examination
- Findings of the examination
- Examiner’s conclusions
Please note, the findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results. The examiner’s conclusions may be the most critical component of the final report. These conclusions based upon the investigator’s expertise and experience in the field of Information Systems Forensic technology often forms the basis for expert testimony in a court proceeding or for the filing of an affidavit. Top