Digital Forensics
Investigations in the digital eraForensic analysis involves the examination of electronic devices and the presentation of facts and opinion regarding the data examined. Analysis can be used to identify matters including theft of intellectual property, inappropriate use of IT in the workplace, fraud, and recovery of deleted data.
Also we may talk about 2nd opinion (review case/report from another specialist/other party) . We can provide auditing of the reports of other experts, it is a requirement of due diligence for a lawyer to request the advice of an expert, when technical and scientific elements are involved.
FORENSIC ANALYSIS
Forensic analysis involves the examination of electronic devices and the presentation of facts and opinion regarding the data examined. Analysis can be used to identify matters including theft of intellectual property, inappropriate use of IT in the workplace, and recovery of deleted data.
MOBILE DEVICE EXTRACTION & ANALYSIS
We use best in class tools for the extraction and analysis of data from mobile devices. We can perform physical, logical or file system extractions of current and old mobile phones, smartphones, tablets and GPS devices. Our extractions also include the recovery of deleted data such as call logs and text messages as well as extracting data from SIM and memory cards where possible.
CYBER INCIDENT RESPONSE
We have seen a significant rise in the incidence of Ransomware and Spear Phishing attacks, as well as the regular compromise of hosted systems. Attackers have been able to identify and exploit weaknesses in business IT systems as well as the naivety of users, resulting in the substantial loss of data and money. This should prompt all businesses to reassess and test the security of their systems. All businesses should be examining access control, reviewing the need for two-factor financial sign-off and questioning the effectiveness of their continuity and backup systems.
DATA PRESERVATION
The capture and preservation of computers, business servers and other digital devices in a forensically sound manner is the most important part of every investigation we undertake. We can acquire and secure data from desktop and laptop computers, servers, mobile phones, external hard drives, memory cards, backup tape to name a few sources.
COVERT DATA ACQUISITION
SYNETA can acquire data from computers and servers covertly without end-user knowledge or disruption to business applications. This service is offered when discretion is needed during an investigation or when access to computers is not available outside of normal business hours. We can also offer this service when the acquisition of email or database servers is required but a service outage is not acceptable.
SECURE DELETION
Simply deleting files or formatting a hard drive before sale or disposal is not enough to ensure that data can't be recovered and prevent it falling into the wrong hands. We can assist in matters where secure deletion of data from computers, servers and other digital devices is required.
EXPERT TESTIMONY
SYNETA provides expert report and testimony services. We present digital evidence in a manner that is legally acceptable and easily understood by judge and jury, using clear explanations, visual representations and virtualised computer environments. SYNETA can also examine reports and evidence provided by other experts.
FRAUD & FINANCIAL INVESTIGATION
We provide forensic investigation services in matters of corporate fraud and financial crime. Our role typically involves the secure collection of electronically stored information from user computers, servers, phones and accounting systems. Once the data has been collected we conduct analysis away from the business to identify evidence supporting allegations or concerns. Where required we can prepare a ``brief of evidence`` suitable for delivery to law enforcement.
BEST PRACTISE = BEST OUTCOME
A Digital Forensic Investigation Involves Several Steps
1. Policy and Procedure Development
Whether related to malicious cyber activity, criminal conspiracy or the intent to commit a crime, digital evidence can be delicate and highly sensitive. Cybersecurity professionals understand the value of this information and respect the fact that it can be easily compromised if not properly handled and protected. For this reason, it is critical to establish and follow strict guidelines and procedures for activities related to computer forensic investigations. Such procedures can include detailed instructions about when computer forensics investigators are authorized to recover potential digital evidence, how to properly prepare systems for evidence retrieval, where to store any retrieved evidence, and how to document these activities to help ensure the authenticity of the data.
2. Evidence Assessment
A key component of the investigative process involves the assessment of potential evidence in a cyber crime. Central to the effective processing of evidence is a clear understanding of the details of the case at hand and thus, the classification of cyber crime in question. For instance, if an agency seeks to prove that an individual has committed crimes related to identity theft, computer forensics investigators use sophisticated methods to sift through hard drives, email accounts, social networking sites, and other digital archives to retrieve and assess any information that can serve as viable evidence of the crime. This is, of course, true for other crimes, such as engaging in online criminal behavior like posting fake products on eBay or Amazon intended to lure victims into sharing credit card information. Prior to conducting an investigation, the investigator must define the types of evidence sought (including specific platforms and data formats) and have a clear understanding of how to preserve pertinent data. The investigator must then determine the source and integrity of such data before entering it into evidence.
3. Data acquistion and preservation
Perhaps the most critical facet of successful computer forensic investigation is a rigorous, detailed plan for acquiring evidence. Extensive documentation is needed prior to, during, and after the acquisition process; detailed information must be recorded and preserved, including all hardware and software specifications, any systems used in the investigation process, and the systems being investigated. This step is where policies related to preserving the integrity of potential evidence are most applicable. General guidelines for preserving evidence include the physical removal of storage devices, using controlled boot discs to retrieve sensitive data and ensure functionality, and taking appropriate steps to copy and transfer evidence to the investigator’s system. Our systems holding your data will be fully encrypted, so your data at rest is safe from (stealing, loss etc……)
Acquiring evidence must be accomplished in a manner both deliberate and legal. Being able to document and authenticate the chain of evidence is crucial when pursuing a court case, and this is especially true for computer forensics given the complexity of most cybersecurity cases.
Artefacts analysis or evidence examination: In order to effectively investigate potential evidence, procedures must be in place for retrieving, copying, and storing evidence within appropriate databases. Investigators typically examine data from designated archives, using a variety of methods and approaches to analyze information; these could include utilizing analysis software to search massive archives of data for specific keywords or file types, as well as procedures for retrieving files that have been recently deleted. Data tagged with times and dates is particularly useful to investigators, as are suspicious files or programs that have been encrypted or intentionally hidden.
Analyzing file names is also useful, as it can help determine when and where specific data was created, downloaded, or uploaded and can help investigators connect files on storage devices to online data transfers (such as cloud-based storage, email, or other Internet communications). This can also work in reverse order, as file names usually indicate the directory that houses them. Files located online or on other systems often point to the specific server and computer from which they were uploaded, providing investigators with clues as to where the system is located; matching online filenames to a directory on a suspect’s hard drive is one way of verifying digital evidence. At this stage, computer forensic investigators work in close collaboration with criminal investigators, lawyers, and other qualified personnel to ensure a thorough understanding of the nuances of the case, permissible investigative actions, and what types of information can serve as evidence.
4. Documenting & Reporting
In addition to fully documenting information related to hardware and software specs, computer forensic investigators must keep an accurate record of all activity related to the investigation, including all methods used for testing system functionality and retrieving, copying, and storing data, as well as all actions taken to acquire, examine and assess evidence. Not only does this demonstrate how the integrity of user data has been preserved, but it also ensures proper policies and procedures have been adhered to by all parties. As the purpose of the entire process is to acquire data that can be presented as evidence in a court of law, an investigator’s failure to accurately document his or her process could compromise the validity of that evidence and ultimately, the case itself.
For computer forensic investigators, all actions related to a particular case should be accounted for in a digital format and saved in properly designated archives. This helps ensure the authenticity of any findings by allowing these cybersecurity experts to show exactly when, where, and how evidence was recovered. It also allows experts to confirm the validity of evidence by matching the investigator’s digitally recorded documentation to dates and times when this data was accessed by potential suspects via external sources.