Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail. Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U.S. and European court systems.
Computer forensics is the investigation of computer media for facts that either refute or support the claims that our client is making in court. There is a lot more to computer forensics than just entering search terms and running a forensic software program across a hard drive. Computer forensics is a discipline that requires both advanced investigation skills and certified professional computer knowledge.
There are very distinct differences between a computer professional and a specialized Computer Forensic examiner. While both work with computers, the focus and training is drastically different. The ability to safely and thoroughly examine computers, or any other kind of digital information, for digital evidence is a highly specialized skill set that requires intensive training and meticulous procedures. If anyone other than a qualified Computer Examiner does as little as power on the computer or insert media into a computer, evidence could be destroyed and unusable in court.
NetEvidence, Inc. regularly conducts extensive computer forensic investigations, for clients ranging from small companies to fortune 100 corporations. in addition, we have worked with federal and state law enforcement, under the direction of a company's counsel, on a variety of matters.
Our certified computer forensic investigators use proprietary techniques to meet the stringent requirements of the courts in all of our findings. Our specialists have significant experience assisting companies in a wide range of investigations.
NetEvidence experts know how computers and programs operate, and we can explain the forensic findings to each client in a professional manner at all knowledge levels. Because we understand the hardware and software, we know where to find potential evidence, and we are able to authenticate the findings in court. Most importantly, we understand how to create and maintain a chain of custody so the evidence is received without challenge of improper handling and procedure.
NetEvidence creates a comprehensive chronology of computer usage, determines whether computer evidence was altered, damaged or removed, and provides you with a timeline report stepping you through the entire investigation.
No. Several factors can affect the ability to recover deleted data from a computer or electronic device. After a file has been deleted it may be overwritten and become unrecoverable through the regular operation of the computer. Also, there are commercially available drive-wiping utilities that can render deleted files unrecoverable.
Additionally, activity or files may be known, but the targeted media may not be the system that created or caused the activity. Mobile phones, laptops, cloud based systems, desktops, and networks all have to be factored into the investigation where present.
In some cases, Instant Message communications can be uncovered.
Many computer forensic investigations revolve as much around the timing of the document creation, modification or deletion, as around the contents of the documents themselves. Meta-data is information about a file (such as last modification date and time) that is saved automatically by the computer operating system.
Additional Meta-data might be which company the software was registered to within the application, which printer last printed the document, which network drive was last targeted for saving the file, etc.
Forensic Discoveries provide a detailed report that explains the processes used to acquire and secure the electronic evidence, the qualifications of the examiner, the scope of the examination, the findings of the examination, and the examiner's conclusions. The format of the findings section can vary depending on the goals of the investigation. The findings section may include file listings including: file date/time stamps, document printouts, email printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results. The examiner's conclusions may be the most critical component of the final report. These conclusions, based upon the examiner's expertise and experience in the field of computer forensic technology, often form the basis for expert testimony in a court proceeding or for the filing of an affidavit.
However, some reports may only provide specific results as directed by counsel. Often times, it is better to have less than more until you know how the case is going to proceed.
Protecting your digital data is important. But paper and the human voice remain important elements of the security mix. Keep confidential printed information in locked file cabinets and shred it when it's no longer required. If you're talking about confidential information on the phone, take appropriate steps to ensure you're not overheard. Remember the old saying "loose lips sink ships".
A firewall acts as a protective barrier between your computer and the Internet, monitoring all incoming and/or outgoing traffic and allowing only the network traffic you permit. Firewalls come in the form of software, which nestles itself between your operating system and your network card. They also come in the form of hardware; for many home and small office users, it is a simple router device that sits between your computer's network jack and the wall connection. You can customize the level of protection the firewall gives you, setting it to filter information flow from specific domain names, addresses, or types of network traffic.
Hackers search the Internet in a way akin to dialing random phone numbers. They send out pings (calls) to random computers and wait for responses. Firewalls prevent your computer from responding to these random calls. If your computer doesn't respond, hackers won't know it's there.
Removeable media such as USB drives are convenient ways to store data; the trouble is, they're just as convenient for thieves as for you. Wherever possible, store confidential information in protected encrypted space. If you have to store confidential information on removeable media, you must encrypt it and then delete it as soon as you no longer need it.
Learn how to recognize the signs of a hidden attack and avoid becoming a phishing victim. Never click on a link in an email; if you're tempted, cut and paste the url into your browser. That way, there's a good chance your browser will block the page if it's bad. And don't open email attachments until you've verified their legitimacy with the sender.
Keep your operating system, critical applications (like your browser) and antivirus patched and up-to-date, and use a personal firewall. That way, you'll avoid becoming vulnerable to hackers and others looking to steal information. You should also run FireVault on Mac OS X or something similar on Windows to encrypt your entire hard drive in the event it is stolen or lost, your data will not be able to be accessed.
All of it! Operate under a need-to-know data classification. Examples of information needing to be protected includes but is not limited to: Passwords or other login credentials, PINs (Personal Identification Numbers), Birth date combined with last four digits of Social Security Number and name, Credit card numbers with cardholder name, Tax ID with name, Driver's license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name, Social Security number and name, Health insurance information, Medical records related to an individual, Psychological counseling records related to an individual, Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account, Biometric information, Electronic or digitized signatures, Private key (digital certificate), Law enforcement personnel records, and Criminal background check results.
It really isn't about the frequency of password values. It is about the strength of the password. Never make a password your dog's name, spouse's name, type of car you drive, or anything that is easily known about you for someone to guess. Make the password long and contain non-alpha characters in addition to the letters you use.
Data loss prevention is software and hardware designed to detect potential data breaches / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage). In data leakage incidents, sensitive data is disclosed to unauthorized personnel either by malicious intent or inadvertent mistake. Such sensitive data can come in the form of private or company information, intellectual property (IP), financial or patient information, credit-card data, and other information depending on the business and the industry.
Our DLP solutions reduce risk in many ways, here are three standards included in all solutions:
No. Email is the first phase of our DLP program. The DLP technology will include monitoring and preventing use of unauthorized USBs, and scanning desktops and file shares for confidential information. Communication will be distributed as new DLP features are implemented.
An email notification may be sent to your supervisor/manager and privacy officer depending on the circumstance. During the initial phase, the goal will be to obtain an understanding of business needs. Eventually, it is planned to send notifications to supervisors/managers as part of the tuned DLP program.
The essential goal of litigation support is to organize, analyze, and present case materials through computer systems. In federal criminal defense cases, there are three primary ways that litigation support is used by Federal Defender Office (FDO) staff and Criminal Justice Act (CJA) panel attorneys. One is in conducting electronic courtroom presentations. Another is management and analysis of paper documents and their electronic equivalents. The third is the identification, collection, preservation, processing, review, analysis and production of electronically stored information (ESI).
Litigation support is the marriage of project management and technology. We believe that while every district is different and every case is unique, there are certain standards to follow in order to ensure that the data involved in a case is handled in a cost effective and time efficient manner allowing for good organization, easy retrieval and effective client representation.
You walk into your office and on your desk sit a few hard drives and a stack of DVDs and CDs. On your floor and down your hallway sit what seems to be an endless number of boxes filled with paper. You are told that there is more coming, yet you have no idea what you already have. Now what? This is an increasingly common dilemma being faced by trial teams and we hope that we can help you answer that question easily and efficiently. We want to be part of your team and, like the common language we must speak when it comes to ESI, there are some common questions that need to be answered in order for you to manage your data effectively, plan your strategy, budget thoughtfully, and develop a workflow for your team to follow so that you move ahead smoothly.
The primary purpose of the ESI protocol is to facilitate more predictable, cost-effective, and efficient management of electronic discovery and a reduction in the number of disputes relating to ESI. The protocol provides a mechanism, through a meet and confer process, to address problems a receiving party might have with an ESI production early in a case, and to discuss the form of the discovery that the party receives.
"Discovery" is the process by which relevant information is exchanged between parties in a lawsuit. It is conducted via production of documents and the taking of depositions. Federal and state courts have long recognized that electronic data is subject to the same discovery rules as other evidence relevant to a lawsuit. The issue has received substantial national attention recently, however, because of a series of court rulings resulting in the imposition of huge sanctions on parties for their failure to preserve electronic data and because of amendments to the Federal Rules of Civil Procedure that took effect on December 1, 2006. Upon notice that a lawsuit has been commenced against you (or a charge filed with an administrative agency), or if it is reasonably anticipated that a lawsuit may be brought (or a charge filed), you are now under a legal duty to preserve all evidence, whether hard copy or electronic, that might become relevant to the lawsuit.
The new federal rules require a party to suspend routine or intentional purging, overwriting, re-using, deleting, or any other destruction of electronic information relevant to a lawsuit, including electronic information wherever it is stored - at a work station, on a laptop, or at an employee's home. It includes all forms of electronic communications - e.g., e-mail, word processing, calendars, voice messages, instant messages, spreadsheets, videos, photographs, information in PDA's, and data in any other locations where electronic information may be stored. This electronic information must be preserved so that it can be retrieved - if necessary - at a later time. The information must be preserved in its original electronic form, so that all information contained within it, whether visible or not, is also available for inspection - i.e., it is not sufficient to make a hard copy of electronic communication.
You will be notified of the duty to preserve electronically stored information through a notice called a "litigation hold" (or a "preservation hold"). You will then be asked to cooperate with NetEvidence, and your local IT personnel to ensure that we identify and preserve all potential sources of electronically stored information in your possession or under your control. You will be asked to complete and return a questionnaire identifying all potential sources of electronically stored information. It is critical that you complete and return this questionnaire without delay. Until NetEvidence personnel have taken steps to preserve your electronically stored information, you should be particularly careful not to delete, destroy, purge, overwrite, or otherwise modify existing electronic data.
Initially, no one will review your data. If and when a discovery request is made, NetEvidence may be asked to conduct a search of the data. You or your counsel will be present if and when your data is ever accessed. On occasion, before a discovery request is made, your counsel may want to review electronically stored information to assist in answering the lawsuit or to comply with initial discovery obligations.