|
Q.
What is
computer Forensics
?
A. Computer forensics deals with the
extraction, analysis, and presentation of
evidence collected from computers or any digital
device that can be classifies as a computer. The
proof or otherwise of a fact in issue before a
court of law or arbitration tribunal is
predicated on admissible facts.
Computer evidence as a specie of legal evidence
is technical in nature and therefore requires
professional input when digital evidence becomes
relevant in any given case. Because computer
evidence can be volatile and intricate in
character, it is imperative, that proper
procedure is adhered to during and after
investigation of any computer related dispute.
Top of Page
Q.
When should I consider using Computer Forensics ?
A.
Being pro active is the best approach to be
adopted with any issue concerning computer
evidence. To avoid the attendant cost for non
compliance; interference with corporate work and
a knee jerk reaction to court request for
document disclose, the use of computer forensics
must, as a matter of policy be integrated with
the corporate objectives and business processes.
It should start
from implementing a functional incident
response protocol and a proper chain of internal
processes for investigating possible computer
abuse issues that may arise now or in the
future. If there is no protocol in place, the
next best thing to do will be to discuss with an
expert once litigation is contemplated or notice
of same has been received.
What ever the temptation, do not start an
internal investigation without consulting a
legal or forensic expert. Most cases fail on the
initial use of reckless and ignorant procedure
in investigation consequently rendering
otherwise probative evidence useless.
Top of Page
Q.
Can my IT Department conduct Computer
Forensics Investigation ?
A. The answer to this is YES and NO.
Your internal
IT department can conduct a forensic examination
if the proper structure has been put in place.
Because of privacy and other human right laws,
combined with the real possibility of destroying
evidence and exposure to legal liabilities, the
necessary protocols, training and authority must
be in place before any assigned personnel may
undertake forensic investigation within an
organisation.
Experience has
shown, that the most problematic areas in
dealing with forensic evidence is associated
with panic and knee jerk reactions taken by
untrained internal staff; which often results in
compromised digital evidence that turn out to
have no real probative value.
Back to the
question, your IT department can conduct
forensic investigation if there is personnel
with the requisite forensic and incident
response training coupled with predefined scope
of authority.
Top of Page
Q.
When should I call in the Computer
Forensics Expert ?
A. Acting in a proactive instead of a
reactive manner, it is appropriate to call in a
computer forensic expert to conduct a gap
analysis of your enterprise network for possible
flaws with respect to potential litigation as it
affects document discovery, incident response
policy, IT use policy, and Security protocol,
document access and retention strategy.
However, if compelled to act in a reactive mode.
The best time to call in a forensic expert is
immediately a security breach is detected or
there is potential litigation in the horizon by
internal staff or corporate clients.
Don't wait until a court ordered Case management
conference or after Your IT department has
conducted what they call an internal
investigation. Very often IT gets into Panic
mode when a breach or potential breach is
detected. In an attempt to stop the attack,
otherwise useful evidence is often destroyed or
compromised unwittingly.
Top of Page
Q.
What is an incident response Protocol - do I
need one ?
A. An incident
response protocol essentially dictates what
steps to take when an incident occurs within the
Computer Network of an enterprise. These
incidents may amount to a criminal breach -
cyber attack on the Network, unauthorised access
of documents, denial of service, virus attack,
corporate espionage or simply staff misuse of
company computers.
An incident response protocol is the product of a
thorough examination of Particular
Network, spelling out the steps and processes to
be followed when an incident occurs on a
network. It is the reference point that
ultimately determines, in terms of response to a
crises, what was done right and what was a
faulty response and possibly locate
responsibilities to pre assigned personnel.
A well implemented protocol takes out the guess work
in times of response, it also helps to prove due
diligence on the part of a company IT
infrastructure implementation, especially for
insurance claims, 3rd party relationships and
establishing Security baselines.
Top of Page
Q.
What are
the implications, if I ignore Computer forensic
evidence?
A.
It is a disastrous strategy to ignore
computer evidence where it is crucial to
a case. Sometime determining whether to
use computer evidence may not be obvious
on the surface. An expert is better
place to formulate forensic components
for your case. Inviting and expert in at
an early stage will forestall the
problems listed below:
Increase in potential cost of litigation
as a result of not properly identifying
the relevant data or search strings ,
delay in response to document discovery,
possible professional negligence for
neglecting probative evidence,
compromising probative evidence,
accusation of tampering with evidence
and punitive cost attendant cost to
litigants.
Top of Page
Q.
How
do I proceed if a Computer is
compromised ?
A. Stop using the Computer immediately ( except
it is not viable in your peculiar circumstances
to do so). Disconnect the computer from the
Network by removing the Network cable. Ensure
you do not switch off the computer this will
lead to the loss of volatile data if you do.
Secure the area where the computer is located
and if possible treat it as a crime scene area.
Record any unusual visual observations around
the desk and the computer. DO NOT try and start
investigating the computer youself if you have
no formal computer forensic training. Once the
area is secured, call in the expert.
Top of Page
Q.
Why is
it important to carry out an I.T Audit
?
A. Firstly, it shows compliance or otherwise
with accepted security and user protocols. It is
a proactive instead of reactive measure to
ensure the smooth running of your Computer
Network. It also provides a gap analysis for the
purpose of ensuring compliance with corporate
governance legislations and directives.
An IT Audit requires a conscious effort to
streamline the Business practices against the
backdrop of the business alignment needs,
business security, implementation of the
business process and Business continuity
strategies. A regular IT Audit of the Business
therefore prevents a knee jerk reaction to
crisis and business continuity needs in times of
disaster.
Top of Page
Q.
How do I
ship a Computer or Hard Drive for
examination to I.T Evidence Ltd ?
A.
Log on to our
Contact Page and request a Client Code. This
will be sent to your within 24hrs. of receipt of
your email. It is important your indicate
clearly and boldly this client code on the
package. You may also wish to upload your
acquired image via our web site after obtaining
a client code.
If sending a physical disk or storage device ,
it is your responsibility to ensure it is
properly packed for transport. In addition
to proper secure package and posting we suggest
disk be enclosed in an anti static bag.
Top of Page |
