Computer Forensics ....
Computer
Forensics is commonly defined as the collection,
preservation, analysis and court presentation of
computer-related evidence. Although
it
is often considered more of an art than a science, however as in any
discipline, computer forensic specialists follow clear,
well-defined methodologies and procedures. It is a well
known fact that courts mandate proper seizure
and analysis techniques of computer evidence that must be
followed & documented in any investigation where
a computer is the means or the instrument of a crime.
Remember ...all
keystrokes, anything viewed on the monitor, every
inter-office memo and all information coming from the
Internet has at one time or another been stored on the
computer's internal hard disk drive. Because of this, there is a high
probability
that a great deal of this information can be recovered and
investigated - even though it has been previously erased or
deleted !
FSG is
accustomed to work closely with the client while using specifically approved
forensic software to search for key-words &
evidence relevant to the case.
We have always demonstrated
flexibility whenever
encountering the unusual.
In respect of this service, we emphasize
the following:
 |
FSG has
industrial & commercial experience in both computer hardware and
software design
|
|
FSG has a
proven track record regarding forensic acquisition of
digital evidence |
|
FSG uses only the highest quality industry accepted and
proven forensic tools |
|
FSG has been recognized for
its ability to succeed where
others have failed |
Post Acquisition Service:
We have the tools
to probe into data stored on computer disks in hidden and
normally inaccessible areas. FSG
is skilled in finding related
information that you specify using powerful Key-Word
search algorithms and have succeeded where others have
failed. We can also testify in court as to the
method and validity of our recovery techniques.
As difficult as it would be
to scan a directory of every file on a computer system, it
would be equally difficult for the examiner to read and
assimilate the amount of information contained within those
files. For example, 12 GB of printed text data would create
a stack of paper 24 stories high. For primarily pragmatic
reasons, computer forensic science is used most effectively
when only the most pertinent information and details of the
investigation are provided to the forensic examiner. From
this information, the examiner can create a list of key
words to cull specific, significant, and case-related
information from very large groups of files. Even though the
examiner may have the legal right to search every file, time
limitations and other judicial constraints may not permit
it. The examination in most cases must be limited to only
well-identified pertinent information
To the extent that computer
evidence has a physical component, it does not represent any
particular challenge. However, the evidence, while stored in
these physical items, is latent and exists only in a
metaphysical electronic form.
|
Note:
|
|
Erasing or deleting a file does
not remove it from the hard drive but merely
allows the space that it occupies to be
available for future storage. Files may exist
for a very long time before they eventually
become over-written. Forensic software can often
find & recover these files. |
Please contact
Forensic Services Group (Hong Kong)
as your next computer forensic consultant.
 
|
Far more information is retained on a computer
disk than most
people realize. It's also more difficult to completely
remove information than is generally thought. Because of
this, computer forensic software enables the examiner to discover evidence
and very often to recover lost or deleted
information - even if it was intentionally erased.
Computer
Forensic tools:
The most important tool for a computer forensic investigator
is the software used to perform the investigation. Without
specially designed computer forensic software, there cannot
be a true forensic analysis.
FSG uses EnCase forensic software - the most
advanced computer forensics tool for law enforcement, the
military, and corporate security world-wide. More than
10,000 corporate and government investigators depend on
EnCase to manage large-scale and complex computer forensic
investigations with accuracy and efficiency. Validated by
trial and appellate court rulings, EnCase allows examiners
to view and search all the information contained on any
storage device.
An important feature of computer forensic software is a
verification process that establishes that the investigator
did not corrupt or tamper with the subject evidence at any
time during the investigation. EnCase software employs a
standard algorithm to generate an image hash value by
calculating a unique numerical value based on the exact
contents of the subject disk drive. If only one single bit
of data changes, such as adding or deleting a character or
changing the case of a character, the hash value is now
different indicating the evidence has been tampered with.
The most common hashing process in use today is the MD5 -
Message Digest number 5 - which is based on a publicly
available algorithm developed by RSA Security. The odds of
two computer files or two images of drives with different
contents having the same MD5 hash value is approximately ten
raised to the 38th power (1 followed by 38 zero's).
For
purposes of comparison, a billion is 1 followed by only 9
zero's.
|
