COMPUTER FORENSICS

Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and electronic storage media. Computer forensics is also known as digital forensics.

The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, a electronic storage medium (such as a hard disk or CD-ROM), an electronic document (such as an email message or JPEG image), a digital file or even a sequence of data packets moving over a computer network. The goal of the forensic examination is to be able to state what information is present and in some circumstances an explanation as what is the sequence of events responsible for the present situation?

There are many reasons to employ the techniques of computer forensics:

• In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
• To prepare corporate e-documents or digital properties for business, legal or compliance purposes
• To recover data in the event of a hardware or software failure.
• To analyze a computer system after an intrusion, for example, to determine how the attacker gained access and what the attacker did.
• To gather evidence against an employee that an organization wishes to terminate.
• To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.

Forensic Investigators building a case for prosecution must be particularly careful when conducting a forensic investigation as the results will probably need to be used in a court of law. One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the alleged crime to the investigator, and ultimately to the court.

CYBER SURVEILLANCE

Computer surveillance is the act of performing surveillance of computer activity, and of data stored on a hard drive or being transferred over the internet.

Computer surveillance programs are widespread today, and almost all internet traffic is closely monitored for clues of illegal activity.

Supporters say that watching all internet traffic is important, because by knowing everything that everyone is reading and writing, they can identify terrorists and criminals, and protect society from them.

DATA RECOVERY

Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as hard disks, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system.

The most common "data recovery" issue involves an operating system failure, typically on a single-disk, single-partition system, where the goal is to simply copy all wanted files to another disk.

The second type involves a disk-level failure such as a compromised file system, disk partition, or a hard disk failure, in each of which the data cannot be easily read.

A third type involves the process of retrieving files that have been deleted from a storage media, since the files are usually not erased in any way but are merely deleted from the directory listings.

CENTINEL will attempt to recover data for you, this may result in a full or partial recovery but CENTINEL assures its clients that such services are conducted in a purely confidential nature. 

DIGITAL INVESTIGATIONS

Nowadays, digital property is among the most valuable of assets of a company, and may be, customer records, corporate knowledge database, engineering design, business transaction activities, business emails, e-cash, intellectual properties, marketing / business intelligence, and marketing plans, to name a few.  Leakage or theft of corporate digital property can bring huge financial loss and damages to the company, including disrepute to goodwill, compliance failure, breach of data privacy, and loss of public trust.

CENTINEL has the capability to prevent and detect digital and information related crimes.  Please feel free to call us for a security assessment and advice.

EXPERT EVIDENCE

CENTINEL will provide an expert report and expert for court actions. In some cases an argument may be made to dispute the evidence held by the other party, in other cases it may be possible to refute the evidence on procedural matters, the chain of evidence and/or tampering after seizure. A CENTINEL Digital Evidence Review will add to your insight of any case.

LITIGATION/TRIAL SUPPORT

CENTINEL will guide you on the procedures that should have been followed in the seizure and handling of a computer or digital device.   CENTINEL will advise you on how a copy of the data should be obtained for unbiased expert examination and if necessary be present to do so.

By conducting Digital Forensics and Digital Investigations on data devices CENTINEL will work with the client to establish what evidence is available.  CENTINEL will then determine whether that data can support the client’s case or not.  If the evidence or interpretation of that evidence does support the case the client will be informed of the substance of this.  More than discovery and matching in DNA or Fingerprint evidence, Digital Forensic evidence includes both the discovery and reconstruction of electronic data and the interpretation of reconstructed data and user behaviour which is often a matter of informed opinion and open to objective argument.

MARKETING/COMPETEIVE INTELLIGENCE

Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. In the intelligence community, the term "open" refers to overt, publicly available sources.

Open sources for intelligence, (OSINT), includes a wide variety of information and sources:

• Media: newspapers, magazines, radio, television, and computer-based information.
• Web Based Communities and user generated content: social-networking sites, video sharing sites, wikis, and blogs.
• Public Data: government reports, official data such as budgets, demographics, hearings, legislative debates, press conferences, speeches, marine and aeronautical safety warnings, environmental impact statements and contract awards.
• Professional and academic: conferences, symposia, professional associations, academic papers, and subject matter experts.

CENTINEL will search and compile in depth studies and reports on these to fit a client’s requirements.

PENETRATION TESTING

A penetration test is a method of evaluating the security of a computer system or network simulating an attack from a malicious source. These tests can be aimed at external threats or internal threats.  The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full Security Audit.

Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black Box Testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, White Box Testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. There are also several variations in between, often known as Grey Box Tests. The relative merits of these approaches are debated. Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.

The services offered by penetration testing firms span a similar range, from a simple scan of an organization's IP address space for open ports and identification banners to a full audit of source code for an application.

A penetration test should be carried out on any computer system that is to be deployed in a hostile environment, in particular any Internet facing site, preferably before it is deployed. This provides a level of practical assurance that any malicious party will not be able to penetrate the system.  Hacking abilities are adapting all the time and together with software such as malware kits, makes penetration testing necessary on a regular basis.

Black box penetration testing is useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without adequate knowledge of the system.

Penetration testing can be an invaluable technique to any organization's information security program. Black box penetration testing is a labor-intensive activity and requires expertise to minimize the risk to targeted systems. At a minimum, it may slow the organization's networks response time due to network scanning and vulnerability scanning. Furthermore, the possibility exists that systems may be damaged in the course of penetration testing and may be rendered inoperable, even though the organization benefits in knowing that the system could have been rendered inoperable by an intruder. Although this risk is mitigated by the use of experienced penetration testers, it can never be fully eliminated. CENTINEL have skilled testers at hand and these are monitored by their Team Leaders during a test. 

SECURITY ADVICE

CENTINEL is able to give advice following a simple walk through of existing or planned systems but would advocate a full study of planned systems and commencing with a security audit of an existing system.

SECURITY AUDITS

An information security audit is an audit of the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits and multiple objectives for different audits. Most commonly the areas being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.

When centered on the IT aspects of information security, it can be seen as a part of an Information Security Audit however, information security encompasses much more than IT.

CENTINEL is capable of carrying out a full IT Security Audit and making recommendations on its findings, including the frequency such audits should be conducted.

SEMINARS

In the near future CENTINEL will be hosting seminars in a number of computer related fields.

The first seminar will be a package for Lawyers and Solicitors, which will be aimed at covering the practicalities in dealing with legal cases involving digital data and possible digital evidence. The seminar will leave participants with the knowledge to be able to handle cases with digital evidence in a professional and confident manner. In addition attendees will be given an information pack containing templates to assist them in future cases.

Contact CENTINEL at Advice@centinel.com.hk

TRAINING

CENTINEL is pleased to offer training in digital investigation and digital forensics. CENTINEL’s Mobile Computer Forensics Unit (MCFU)”, may be deployed for on-site corporate training, this is especially suited to the banking and finance sector where data confidentiality and privacy are of primary concern. MCFU is a mini-computer forensics lab which is used for digital investigation and forensics training with training or production data on-site.

The training period is normally for 4 days, with 2 days spent training and two days of instructional use.