Incident Response
Unbeknownst to many, preservation of evidence and chain of custody are two topics that many forensic companies are vaguely familiar. This is something that DFS takes very seriously. There is nothing more devastating than spending valuable time and resources to learn that a case will be lost due to lapses in chain of custody procedures or preservation policies. Unfortunately, this is usually discovered after a client has agreed to have a complete forensic analysis exam, reports and court preparation completed. DFS would suggest that this is not the time to learn valuable lessons with regards to the rules of evidence.
DFS goes to great lengths to secure potential evidence, and preserve a chain of custody that withstand any trial.
If evidence resides outside the clients control (IE. An ISP), a preservation letter must be sent to the company holding the information. When making a request, one must use specific instructions pertaining to the information sought. When requesting this information the request must be specific with regards to times, dates, Public IP addresses (if available), time zone, email ID., screen name(s) and email address(es) where applicable.
♦This must be followed up with legal process, initiated and processed by legal counsel.
Collection of Live System and Network Evidence
This has become more important than ever and this process alone can make or break any case. The collection of 'live' information has become paramount when dealing with technolgies such as disk encryption, virtual machine technology, running processes, BOTs and other malware. There's so much information that can be hidden on a running system that may be lost once that sytem is restarted, powered down or abruptly halted.
Mail server data sets have become enormous and web server uptime has become increasingly critical to company infrastructure, not to mention e-commerce. Many cases can be streamlined with regard to evidence recovery by employing Live Forensic strategies. Servers can stay up and evidence can be captured. This solution may not always be possible but is most likely probable in a large number of cases.
Is the heart of the problem residing on a server, workstation, router or other device on the network? Sometimes this apparently simple question is the holy grail of initial questions to be answered. Many forenisc companies may not have the in depth networking experience or equipment needed to track such a difficult issue, DFS does. If the problem lies on the network and is contantly moving, it will never be found when systems are taken off line and an analysis performed post-mortem. DFS knows where and how to look for these network related issues to complete the big picture and further the investigation.
DFS experts will harvest as much live system information as possible as a first step to the forensic and analysis process. This critical step can answer many questions and possilbly provide the key to an investigation before ever leaving the premises. Also, this step can be the most technical within the forensic process, where a great amount of care and experience must be employed to ensure a successful engagement. DFS experts have the experience to secure this information, thereby providing a greater chance of success.
Collection of Post-Mortem Systems
There is an enormous debate as to whether a system should be powered down via the software/hardware of the computer or simply have the plug pulled from the machine. All of the debate focuses on the type of OS running on the target system, live state information that can or cannot be captured, locking down some or all of the live state information and the forensic principals therein. With this in mind, DFS personnel understand the pro VS con and the variable pitfalls that can occur with regard to each philosophy. DFS personnel will only use procedures that they have professionally experienced. These procedures will be those proven to be forensically sound with the ability to be proven in a court of law.
DFS integrates this evidence with an in-depth understanding of today’s legal procedures, utilizing advanced computer hardware and software, trained and certified forensic analysts and litigation support. Digital evidence is identified and presented in a manner that is clear, concise and understandable, making it desirable for use when presented to those not coming from a computer background.
