The forensic examination of digital media, be it computer hard drives, network drives, USB external drives, thumb drives, CD’s etc is not simply the recovery of deleted data.
In most cases the fact that someone elects to have a forensic examination of their media means that there is a possibility of legal proceedings, be that criminal, civil or internal to their organisation. A forensic examination adheres to certain accepted principles of best practice and rules of evidence that ensures that any material gathered is obtained in the correct manner and is admissible in a court. If these principles are not employed then the investigation runs the risk of having any evidence gathered ruled inadmissible resulting in the loss of any proceedings.
In general the principles in the UK and which are reflected in most countries are the four laid down in the ACPO Good Practice Guide for Computer-Based Electronic Evidence;
1. No action taken by law enforcement agencies or their agents should change any data held on a computer or storage media which may subsequently be relied upon in court.
2. In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
3. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
4. The person in charge of the investigation has overall responsibility fro ensuring that the law and these principles are adhered to.
Whilst these principles were drawn up primarily for criminal investigations, they have been adopted within the industry as a whole.
Further consideration should be given to the continuity of any such evidence produced. How can it be shown that the evidence gathered refers to the computers or media in question? Especially when the material may pass through several hands.
There are a number of industry standard forensic tools to aid the examination of digital media and are in use by CTL. These enable the processing of large amounts of data quickly and also to check the results of what’s been found.
CTL have over 9 years experience in conducting examinations on all types of media and also preparing and presenting the evidence found to legal authorities and giving evidence in the Crown Court as an expert witness.
As well as academic qualifications our examiners have successfully completed numerous courses forensic subject matter and software specific.
What can be examined?
Literally anything that has digital media stored on it. Whether it be physically local or remote over a network, provided the necessary authority is available to access the data.As stated above forensic examination is not only recovery of deleted data. It can be the recovery and analysis of system data such as Temporary Internet Files, Registry information, indeed anything deleted or not that might have a bearing on the case.
How can a forensic examination help?
1. In criminal matters a major obstacle will be to convince police that a crime has been committed and that whatever actions taken prior to reporting has not effected the evidence so as to make it unusable.
2. In internal or civil matters that may be contested in tribunal or civil court, the above principles still need to be complied with if the risk of having the evidence ruled inadmissible is to be avoided. Many system administrators have the skills to obtain the evidence but are unaware of the need to preserve data and keep records of what was done. It can also be argued that they are hardly independent to any investigation. Many would rather not appear in court to give evidence.
3. The proper gathering and examination of data can be far cheaper than simply paying off staff to leave the company. Having the evidence to discipline them for misconduct and dismissing their services can be a far more cost effective way of dealing with the situation.
Costs of a forensic examination.
As intimated at point 3 above examinations can be far cheaper than the alternative of paying someone to leave. CTL also have the ability, expertise and knowledge to look at the evidence gathered and give informed opinion as to whether it is sufficient so that further lengthy work and higher costs can be avoided.
In a recent case CTL were employed to look at a number of computers. An employee was suspected to have used them to create false invoices to defraud the company. The examination of the first computer proved negative and the company were looking at spending thousands of pounds to have the rest looked at. However as it became apparent what material the company already had to hand CTL advised them to contact the police. The employee later pleaded guilty at court. The company received a compensation order and they saved a great deal of money from not having to pay for a number of computers to be examined.
Data Recovery Services.
Many people and companies loose data from their media. Whether it be a USB thumb drive containing personal data, a computer hard drive containing their family photographs or a RAID system containing business data worth thousands.
Using our specialist software, experience and techniques, such data can be recovered. Obviously the constraints of the requirements of a court are not present making this a less time consuming and therefore less expensive procedure.
Sales Enquiries:Call: +44 (0) 207 617 7003 firstname.lastname@example.org
- ga accredited in Spain : game software & info’ sys’ security
- Gaming Associates best positioned to certify to Danish requirements
- Gaming Associates on panel with Danish Gambling Authority
- Gaming Associates acquire Compliance Testing Laboratory (CTL)
- Video: Speed Camera Lottery system a Volkswagen Fun Theory winner
- New Jersey passes online gambling legislation
- Amazon Web Services Achieves ISO 27001 Certification
- New offerings in Malta
- Compliance: testing for the UK…