Cyber Forensics Related FAQ

Answer:A classical definition is, "Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law." Generally speaking, computer forensics, also known as cyber forensics, is considered to be the use of analytical techniques to identify, collect, preserve, and examine evidence/information which is magnetically stored or encoded using the application of scientifically proven methods to gather, process, interpret, and to use digital evidence to provide a conclusive description of cyber crime activities. Cyber forensics also includes the act of making digital data suitable for inclusion into a criminal investigation. Today, cyber forensics is a term used in conjunction with law enforcement, civil litigation, in organizations and private investigations such as domestic matters. Cyber forensics and related courses are also being offered as courses at many colleges and universities worldwide.

Answer:This process is normally used to acquire and provide digital evidence of a specific or general activity. The forensic investigation itself can be initiated for a wide variety of reasons. While the most high profile cases are usually in the area of criminal investigation or in high-visibility civil litigation cases, forensic techniques can be of value in a wide variety of situations, including, simply tracking what happened on a computer system when data has been lost.

Answer:Computer Forensics may also be used in cases of unauthorized disclosure or copying of sensitive business data, such as customer databases, price lists and employee payrolls, whether by accident or by intent; fraud and deception; Internet abuse by employees including downloading of pornography; industrial espionage by "crackers" and subsequent damage assessment; recovery of data thought to be deleted; revelation of data hidden or included in temporary or swap files; access to encrypted, password-protected data. In general, as computers have moved into the mainstream, they are employed in more instances where sensitive information is sent by e-mail, instant messaging, FTP or copied on disk. Computer Forensics investigators can help validate the integrity of this computer data and interpret it.

Answer:Computer Forensics includes the acquisition, examination, identification, analysis and interpretation of electronic data commonly created and used by computers and related digital devices. The process can be used to support both civil and criminal litigation as well as to enhance overall corporate information technology security. In general, Computer Forensics provides digital evidence to support allegations of certain activity in which computers are involved. The forensic investigator�s first step is to clearly determine the purpose and objective of this Investigation. Then, the forensic investigator will take several careful steps to identify and extract all relevant data on a particular computer system or systems. Forensic analysis will extract the data that can be viewed by the operating system, as well as data that is invisible to the operating system. The investigator will discover all files on the subject's system. This includes existing active files, and invisible files; deleted yet remaining files, hidden files, password-protected files, and encrypted files. In many cases, information is gathered during a computer forensics investigation that is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files - known by computer forensic practitioners as slack space. Special skills and tools are needed to obtain this type of information or evidence. TCG�s analysis and investigation work is conducted using the highest level of forensic scrutiny. We follow known forensic procedures and use only open and verifiable programming techniques. Our methodologies are transparent and, in legal cases, we encourage the Court and opposing sides to dissect our work because we stand behind its admissibility 100%. .

Answer:No. However, we do guarantee our absolute best effort and are highly confident that we can recover the data that is recoverable. The reason for this is because what data may or may not reside on the hard disk drive of a computer is literally unknowable to us in advance of an investigation. For that reason, we do not know, in advance of an examination, what data may or may not be able to be recovered.

Answer:The most frustrating aspect of forensic analysis is that the computer�s operating system randomly �overwrites� deleted data on the hard drive. This means that the longer a computer is used, the more likely it is that older evidence will be lost. Fortunately, the operating system frequently records evidence in several places simultaneously. So if the data is overwritten in one area, it may still reside in another. It is impossible to know, however, whether the data that is most important to you will survive the constant use of the computer. Indeed, the simple act of turning the computer on or looking through files can potentially damage the very data you are seeking. The dates that files were created can be changed, files can be overwritten and evidence can be corrupted. The safest practice is for us to acquire an image of the computer�s hard drive as soon as possible. Time normally kills the amount of deleted data that is recoverable.

Answer:Consider the following: it is estimated that each year, billions of dollars are lost through employee theft, fraud and sabotage. This is the direct cost only. Add to it billions more in investigation and litigation costs, lost productivity, and the future value of Intellectual Property lost. The list goes on as do the billions of dollars lost. Now, add the cost of the publicity surrounding employee malfeasance: Loss of reputation, employee morale, a depressed stock price. Finally, the new regulatory and litigation environment we are now entering, places a new, heightened level of personal responsibility and liability on the backs of corporate executives and directors for the activities of their employees and organizations. How many are willing to take that risk? In civil cases, the evidence that we find may likely cause the other side to seek settlement. Often, the cost to use professional Computer Forensic Certified, third-party firms like TCG, far outweigh the internal costs both in dollars and in winning your case. In addition, our rates are competitively priced while delivering fast aggressive service anywhere, anytime in the world.

Answer:In the past, Computer Forensic Examinations could run tens of thousands of dollars because of the manpower necessary to thoroughly examine a hard drive. With the advancement of technology in the Computer Forensics arena, that is no longer the case. The software and hardware available now make the price of Computer Forensics affordable and well worth the investment. Average costs nationally range from $350 an hour to upwards of $700.00 per hour. As a part of the basic investigation, TCG will forensically examine a hard drive and search for up to Ten (10) keywords that you supply. We will then forward to you a report that includes every instance of the keywords, whether it is in a deleted file, e-mail message, viewed web page, Word document, or any other active or deleted file that resides on the hard drive. This initial step will help determine if you have a case and if further examination is warranted. The total cost of a Computer Forensics investigation is based upon an hourly rate plus expenses incurred. The total cost will depend upon the complexity of the issues and the time involved. More time is usually required in the analysis and interpretation phase than in the initial acquisition of the data. We charge $200.00 per hour for forensic analysis and require a $2,000.00 minimum fee for ordinary cases (a single PC or Mac with up to a 50 gigabyte hard drive). The fee beyond a forensic analysis is based on our hourly fee and is billed in 15-minute increments. Why do we have a 10-hour minimum? It is because an average examination takes a minimum of 10 hours to complete. Factors that effect the amount of time required include, the amount of data to search (i.e.: hard drive size, number of diskettes, etc.); volume of material; encryption; data hiding; and attempts at destroying the data. Advice about your investment in forensic analysis: Counting pennies should not be a consideration when you need a proper forensic analysis completed. Consider what you stand to lose if your investigation is not handled properly and by a trained professional. The cost of a professional computer forensics firm far outweighs the internal costs, both in terms of dollars and in terms of winning your case. Our best advice is to not be �penny wise and pound foolish.�

Answer:Please, before you do anything, call for complete instructions. TCG recommends that you have the disk drive(s) removed by an experienced computer technician and shipped to us. TCG can also talk you through this process. Please do not ship anything to us without contacting us in advance and obtaining a Case Number from us. The Case Number must be written on the shipping label. We will instruct you on further shipping instructions when you contact us.Disk drives are static sensitive. Therefore, we recommend that the drive(s) be placed in an antistatic bag and sealed. Wrap about �-inch of solid foam or bubble wrap around the disc and tape so all sides are sealed. Make sure the contents will not bounce around in the box you use. If the hard drive is removed from the computer and sent to TCG for a Forensic Examination, make sure to document the date and time in the system and note whether it differs from the current time.

Answer:There is no damage or alteration of any of the information contained on the original "suspect" source, and all analysis is performed on an image file or a copy. The hard drive is imaged (copied) onto our super computer. The system data is then analyzed from the �imaged� copy of the hard disk drive.