¿How forensics work?

Computers are used for everything today. From browsing for information on specific issues and make purchases or negotiations with the Treasury, to communicate with our acquaintances and exchange documents, videos and photographs. Every step we take makes an impression on the hard disk. When you open a program, for example, we track the amount of time that has been opened and we can identify when it was last time. When using message services or telecommunications, Skype for instance, each message you send remains registered on the computer. When sending a file to the recycle bin, the user is recorded and the time and date on which it did. When you plug a USB flash drive or external hard drive to your computer, it is recorded, including a serial number and moment when it was made. All this are nothing but real examples, in a vast ocean of traces and records that we leave everywhere.

However, the most interesting part is that, even if the user intentionally tries to remove traces that leaves behind, it is very difficult to make a perfect work erasing, and on many occasions we can reconstruct the user activity from all traces and fingerprints that a forensic investigator can locate. Identification, acquisition, cloning, preservation

Identifiación, adquisición, clonación, preservación

The method of the research is to (1) identify repositories of information of interest (external hard drives, computers, pen drives, etc.); (2) collect and acquire information through a cloned sector by sector to ensure the integrity of the original, the accuracy of the copy and the chain of custody; (3) performing the processing of evidence putting (4) the original in a secure place, always preserving the chain of custody; and (5) develop a technical and executive report recording the steps taken and the conclusions that have been reached, depending on the specifics of each case

×
Hard2bit Services

Forensics

"Information is one of the most important strategic assets for a company"

A good expert inform is all you need

When is the time to prove certain acts done from a computer, it is vital to reach a forensic expert with experience and background in field, able to advise and help you make the best decisions. By performing a forensic, our experts will prepare a report that will help you defend your case.

Recuperación de datos de RAID
Principle of auditability

The forensic investigation process may have a strict methodology and a code of good practice that must be able to be validated at any time. All the steps will be noted to reach the conclusion of the expert inform.

Principle of reproducibility

Any forensic Research working on the same set of evidence, should be able to reach the same conclusions as the other. The researcher must be able to prove every step so that the report can be ratified by third parties.

Placas electrónicas PCB averiadas y fallos de firmware
Principle of defensibility

Defense of the report should be supported by the use of validated tools in the sector, a wide and proven experience and appropriate certifications. Our forensic experts defend their work before a judge if necessary.


The recent IT standard ISO/IEC 27037, about the procedures of identification, collection, acquisition and preservation of digital evidence, establish that the investigation have to be based upon a set of principles, for the evidence may be auditable, reproducible, and defendable before the courts with full confidence.


Identification
collection
acquisition

preservation of
digital evidence

The computer forensics is responsible for tracking all the places through the information flows, where is or Where have been, how got there or how was deleted , who has used it and how so, with who have been shared that information, and countless aspects and details that serve to demonstrate, in a manner widely accepted in courts around the world, that such information exists and that there has been some use of the informatio

All the procedures used in Hard2bit Data Forensics adjust strictly to the ISO / IEC standard 27037: 2012 in the field of information security on the identification, collection, acquisition and preservation of the digital evidence, which establishes a set of principles on which the research is based, so that it is auditable, reproducible, and defensible before the court with confidence.

More info
Toda clase de discos duros

In its quest for transparency, do things right, and to create a relationship of trust with every customer, Hard2bit provides:

How is forensics with Hard2bit

Borrados y formateos accidentales

About the procedures

The ISO / IEC 27037 standard establishes a set of guidelines or rules to be followed for identification, collection, acquisition and the preservation of digital evidence (hard drives, flash drives, pen drives, mobile phones, flash memory cards ...), which vary depending on the data storage device whose information is being studied. We describe below the principles on which all computer forensic investigations are based.

identificación de evidencias forenses

Identify process

The first step of a forensic investigation is the identification of all possible elements which are capable of storing information that may be useful for research. Such information may be physically contained in the logical structure of accessible devices and any type or technology (hard drives, flash drives, tapes, etc.), or outside the logical structure, deleted or damaged, or even in places geographically distant. At this stage hard drives, flash drives, printers, network resources, external drives, and all kinds of devices that can store data electronically.

Recolección de evidencias forenses

Collection process

Having identified the evidence which may be the subject of research, we proceed with their collection. All evidence taken or impounded must be perfect and individually identified, and must be perfectly documented the origin of each element of the investigation. Sometimes the collection has to be done using specialized means to ensure that the information will endure over time and not be destroyed, altered, or become inaccessible, as in the cases of forensic investigations of RAM, computers and hard drives volumes encrypted or password protected or mobile phones turned on.

Forense de calidad
Herramientas especializadas. EnCase, FTK.
Placas electrónicas PCB averiadas

Acquisition process

In forensic investigation is vital not change a single bit of evidence, so perform forensic copies is fundamental and is the first thing you should do after collect the evidence. Forensic copies or clones of the devices serve as a basis for further investigation, so it must be reliable and must be obtained through validated industry experts tools. Mobile phones should be stored in Faraday cages to avoid receiving external signals that can alter its contents.

Fallos físicos y mecánicos

Chain of custody

The most important aspect throughout the process of forensic investigation is the preservation of the chain of custody. The chain of custody is the mechanism by which all evidence is everywhere identified and protected know his location point, and the person responsible for its integrity and conservation locked up. Every step that involves movement or transfer of evidence from different investigators should be recorded through this mechanism to ensure the integrity and validity of all samples taken.

Contact

If you have suffered incident that may need a forensic investigation (Emails sent, Illegitimate use of corporate computer equipment, Data leakage , Economic crimes...), it is important to act with discretion and diligence. Every step of the process is vital and any error or defect could be decisive in the court. Don't make a false move and tell the case to our experts in the forensic departament.


Everything went well! We will contact you as soon as posible.

¡Oops! Please fill in all the required fields.