IT Forensics
Analysis, investigation and evidence preservation techniques for IT systems
Digital forensics, also known as IT forensics, is a special area of IT and forensics. It provides additional evidence for court proceedings, for example, related to the use of new digital media. This does not necessarily have to involve computers, as the focus is increasingly shifting to mobile devices like smartphones. Not only are we increasingly using these devices for personal communication, they also contain a large part of our private lives, such as photos, addresses, personal behavior patterns and even health data.
Cars are another area where IT forensics is seeing greater use, as modern vehicles produce, store and process large amounts of data. This not only involves the car manufacturers themselves, but also their suppliers and service providers who store and process the data, creating a complex network. As the vehicle requires certain technical data to function, this can be read using corresponding tools to provide insights into many aspects of driver behavior.
The S-A-P model
Regardless of the medium in question, IT forensics experts always follow what is known as the S-A-P model. This stands for secure, analyze, present.
Regardless of the medium in question, IT forensics experts always follow what is known as the S-A-P model. This stands for secure, analyze, present.
Secure
The secure phase focuses on securing data that is potentially relevant. It is important that the secured data is not altered here. A physical write blocker is used to ensure this. Using hash values, the duplicate is then compared to the original to ensure it is identical. This can also be double-checked by a second specialist. When handling volatile data (e.g., memory), it is sometimes necessary to strike a compromise between complete and altered data. Such cases require precise documentation of the procedure and the decisions taken.
Analyze
In the analyze phase, the secured data is prepared and analyzed. This uses one or more forensic software tools, such as Nuix or X-Ways, depending on the case. Depending on the amount of secured data, this phase can be the most time intensive, and takes at least a few days in most cases.
Present
The final phase is present. This phase focuses on presenting the evidence found in a clear, logical and understandable way to enable surefire conclusions. For court cases in particular, is vital to keep evidence chains intact and to precisely document the process.
Further topics regarding IT forensics
Thanks to the broad and diverse scope of IT, digital forensics is divided into further subcategories. These include operating system forensics, network forensics, malware forensics and many others. Forensic investigations generally take one of two approaches. The first is known as a post-mortem analysis, in which secured data is investigated after a system has been deactivated. Live analysis, by contrast, secures and analyses data from a running system. Here, minor data alterations are to be expected, especially in encrypted systems. These changes should also be clearly shown.
SVA has a team of highly experienced and certified IT forensics specialists that can help you in all of these phases.
Any Questions?
If you would like to know more about this subject, I am happy to assist you.
Contact us
