Forensic Evaluation of Compute Systems

Finding Evidence of Attack Methodology and Impact

If a successful attack has occurred, there may be times when customers want or need to inspect a computer for evidence of either how the attack was manifested, or what actual theft or damage occurred as a result of the attack.

The need for computer forensics could emanate from investigation into intellectual property theft, industrial espionage, employment disputes, fraud investigations, forgeries, bankruptcy investigations, inappropriate email and internet use in the work place or regulatory compliance.

Computer forensics is best left to professional investigators – skilled at finding and analyzing files and file ‘metadata’ to ascertain things including when a document first appeared on a computer, when it was last edited, when it was last saved or printed, and which user invoked these actions.

CyberDefenses - Identification

Key steps performed by CyberDefenses forensics specialists include:

  • Collection: Identifying and securing devices which may store evidence and documenting the attack
  • Analysis: Examination of file and metafile information for evidence of attack activity and/or attack impact (modified, damaged, copied, or removed files)
  • Report: Capture of findings including basic analysis of what happened and how this knowledge assist with remediation and security control / policy improvements