How IT Forensics works?
In our region of the world, smaller countries of Balkan peninsula, we tend to associate digital forensics with law enforcement agencies only. But in a larger world they are more often than not done by private investigators in commercial sector. Corporations and larger organizations often find themselves in situations, were they need to do an electronic investigation by themselves, for their own needs. Or hire an outside company to do that. Be that because they are suspecting a breach, hacker intrusion, errors, malicious employee activity, or if they expect or have received a request on data from a law enforcement agency. Digital forensics will clear the situation – what was going on in an IT environment or on a single workstation. Such an investigation could result in a legal case, but that is not mandatory, so don’t associate this kind of solutions only with the kind of things that go on in criminal case thrillers on TV.
A good forensics tool, such as those provided by Opentext (former Guidance Software), works the same whether it is used for law enforcement or commercial needs. Generally we could organize digital forensics into three steps, which are actually quite analogous to steps of non-digital forensics.
A – Evidence collecting and preservation. Just as in physical world, the evidence must remain in its original form through the investigation process. Evidence is data on hard drives, sometimes in memory, in emails etc. Forensic tools collect this and store it internally in a form that never changes, it can only be read. Data on hard disk can change if the computer is being used, so forensic solutions include tools, which can make a perfect copy of data on it through different connectors, or through network.
B – Searching. Once an investigator has a copy of all the relevant data, he will use a forensic tool to analyze it, search for files, patterns, phrases, images, emails, copies of IP data, etc.
C – Case management. Forensic tools store multiple digital investigation cases and are multi-user oriented. They offer extensive case analysis and reporting and should guide a digital investigator from evidence collection, analysis, reporting and up to a legal case, if needed.