Digital Forensic Process
Formally, the Acquisition can be defined as the process executed to collect and identify all information stored in the suspect computer systems (memory, processes, network connections, storage –hard drives, media cards, etc.-malware …). The acquisition process must be performed strictly following forensically sound procedures so that the investigator can prove at any given moment that not even a bit has been modified or lost during the process, ensuring the reliability, completeness and accuracy of all items. All the aforementioned procedures are verifiable and able to stand in a court of law if necessary.
Digital evidence can be collected from various sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages (which must be preserved as they are subject to change).
During a Forensic Investigation acquisition process, all the activities performed should be timed and thoroughly documented.
- Preservation and Custody of Evidence
Special measures should be taken when conducting a Forensic Investigation if it is desired for the results to be used in a court of law. One of the most important measures is to assure that the evidence has been accurately collected, preserved and kept under appropriate Custody, preserving the Chain of Custody from the scene of the crime to the investigator and ultimately to the Court.
Chain of custody refers to the chronological documentation, and/or paper trail, showing the acquisition, custody, control, transfer, analysis, and disposition of evidence, physical or electronic.
The Analysis phase of the Digital Forensic process addresses the extraction of the individual elements of information that may be of significant to the case. For this purpose, a myriad of specialized tools are used to discover information from different sources. There is no perfect tool for every kind of process, so in many investigations, numerous tools are used to analyze specific portions of information.
Typical Forensic Analysis includes a manual review of material on the media, reviewing the Windows registry for suspicious information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review.
Once the analysis is complete, a report is generated. This report may be a written report, an oral testimony or any combination of the two. The aim of this phase is to present the evidence obtained in a form that is an accurate representation of the facts and that is understandable by the intended audience.
Contego have developed our own methodologies based on many years of experience with different clients and with multiple types of investigations.
We have developed a modular approach to the Forensic Laboratory Design. Our experience demonstrates that almost every customer needs a set of common Forensic equipment (what we call the Core Forensic Laboratory) and on top of that, a number of additional modules. Each of those modules will address a specific need by providing the adequate tools to do the job and not all clients will need the same modules (or at least not with the same components, as some of them will need Basic, Medium or Advanced configurations). Our methodology has strong emphasis on quality, thoroughness and reporting mechanisms
Core Forensic Laboratory:
The common forensics equipment that will enable our clients to perform basic forensics investigations, we provide the required consultation to design deploy and maintain a successful Core Forensics Laboratory.
The Core Forensic Laboratory (CFL) is designed to meet and support the following objectives:
Collaborative and Centralized investigation design: allowing remote access to every investigator regardless of their physical location. This functionality must be supported by the Digital Forensic Laboratory infrastructure design.
Virtualized Evidence Analysis: the client can create an Analysis Computer Template with every evidence analysis tool on the market. With this virtualization environment a different templates may be used depending on the investigation needs. Working with virtual machines allows the investigator to work on clean OS every time they begin an investigation. This Functionality requires using a third party virtualization tools.
- Incident Response: This module is including everything needed to perform efficient incident response actuations: software to collect volatile evidence, to perform live investigations.
- Evidence Acquisition: A portable solution to provide the required flexibility for in-the-field collection and analysis and everything needed to perform a successful acquisition in a cabin-sized ultra-light case (forensic laptop and jump bag with forensic software, write blockers, hard drive duplicators, adapters, storage, etc.).
- Evidence Preservation: This module is composed of all equipment you need to keep your evidence safe and keep its chain of custody through time, like fireproof data safe, tamper proof evidence bags, anti-static bags, etc.
- Password Recovery: It includes specific hardware and software designed to recover unknown or lost passwords using multiple recovery tools and approaches (brute force, rainbow tables, dictionary attacks, hybrid,…)
- Email Investigations: It includes best software to succeed in the analysis of multiple types of email (Outlook, Thunderbird, Lotus, etc.) and webmail (Yahoo, Hotmail, Gmail, etc.).
- Browser Investigations: It includes software to perform an in-depth analysis of Internet browsers (IE, Firefox, Safari, etc.), including Browsing History, Cookies and Cache Analysis.
- Internet Investigations: All necessary to perform real world searches of identities in multiple search engines and social networks, to discover relationships with other individuals, email accounts, phone numbers, addresses.
- Optical Media: This module Includes all hardware and software needed to succeed in investigations involving Optical Media(CDs, DVDs, Blu-ray, etc.).
- Multimedia Forensics: All hardware and software to perform advanced multimedia (audio, video, and images) search in computer forensic investigations by analyzing the visual features in the image or video.
- Mobile Devices Forensics: All hardware and software necessary to perform Mobile Device Forensics in the huge number of existing different devices(cell phones, PDAs, BlackBerrys, iPods, iPhones, GPS Navigators, etc.).
- Network Forensics: The hardware and software you need to succeed in capturing and analyzing network traffic, including network sensors and analysis stations
- Malware Analysis: The hardware and software you need to succeed in the analysis of Malicious Software, allowing to perform deep forensic analysis of executable code, creating a complete reverse engineering environment.
- Media Recovery: This module includes all advanced components, hardware and software, needed in order to recover data from damaged or deleted media from all kind of file systems.
Digital forensic Investigations Service
Contego Solutions own a fully equipped digital forensic laboratory ready to perform end-to-end digital forensic investigations starting by evidences preservation to reporting the case findings. Contego solutions own the fastest forensic server to be owned by private company in the Middle East.
With expert investigation team Contego Solutions is fixable in offering the digital forensic investigations service as the team may get involved in the investigation process at any part as the client would require.
Implementations and Trainings:
Contego Solutions Methodology to achieve the successful projects delivery of digital Forensic laboratories deployments includes the following:
The key to our approach is to assemble the right team, with the proven skills, motivation, and tools to achieve our client’s goals. We have done that by including team members who have previously successfully demonstrated the necessary skills, expertise, and experience this team is well rounded and provides at least double coverage on all key skills.
Contego Solutions eliminates a major risk by having required staff identified and in place prior to award. By establishing multi-discipline teams and providing them with a clear mission and powerful tools, the motivation to succeed becomes self-evident. It is our program management philosophy to remove administrative and bureaucratic hurdles allowing the team to focus on accomplishing the mission.
Contego Solutions will ensure that all teams receive Process Optimization Training. This will enable the team to leverage the appropriate tools and techniques throughout the implementation. This will result in our teams continually looking for process inefficiencies and opportunities to improve.
Training road map design
One of the most important aspects for the project successful implementation is the knowledge transfer training, Contego Solutions is committing to provide the sufficient training to help our client’s digital forensic personals to gain the technical knowledge and the required skill sets to be able to operate their own digital forensic laboratory with the highest international standards.
The training road map design is divided into two main levels to match with the digital forensic laboratory human resources structure:
Technical knowledge transfer training (forensic tools usage):
This training is targeted to the forensic analysts with main objective of maximize their knowledge about all the tools available, focusing on best practices and techniques.
Advanced Technology Vendor Training:
This training is target specific digital forensics items that requires advanced trainings provided by the technology vendors.Contego Solutions offer to design and plan the required professional training to our clients.
Please feel free to contact us to schedule meeting with you and evaluate your requirements.