Certified Experts for Critical Investigations, Guaranteed!
Data-oriented IT forensics focuses on the analysis of system data. System data, in turn, is any data and its contents that are located on the system under investigation, be it a laptop or a smartphone.
The focus of an incident-oriented process is on analyzing and documenting the course of an incident, e.g., a cyber attack. However, it also includes incidents that are not the result of willful actions, e.g., a software malfunction.
What is IT Forensics?
IT forensics, often called digital forensics, computer forensics, or just forensics, is defined by the BSI as a "rigorously methodical approach to data analysis on storage media, computers, and networks for the purpose of resolving IT incidents, e.g., cyberattacks, software failures, and others."
IT forensics is more often used as a law enforcement tool, but is applied in the context of IT incident response to provide valuable and actionable intelligence about incidents or attacks against an information network, with the goal of discovering sufficient clues about the causes and intentions of such an incident.
Types of data relevant to a forensic investigation include:
- Hardware data
- Raw data
- Metadata (details about data)
- Configuration data
- Communication protocols
- Process data
- Session data
- User data
Two different approaches exist with respect to the timing of forensic analysis: post-mortem analysis and live forensics. In a post-mortem analysis, also called offline forensics, the forensic investigation of data takes place after an incident. The focus of such an investigation is on the analysis of non-volatile data that has been saved in the form of images as backup copies. In contrast, a live forensic investigation takes place while the incident is still in progress. Since the systems under investigation are still switched on, the main focus here is on the analysis of volatile data, e.g. started processes, network connections and the memory content of RAM and cache.
In general, IT forensics can be classified as a sub-aspect of emergency management, or more specifically, incident response. The intentions of a forensic investigation differ in different security incidents. In many situations, a forensic investigation is initiated to quickly confirm whether an incident has occurred. In addition to this, it is desirable, through the obtained results of an investigation, to not only detect but also contain an incident. However, in law enforcement, the focus is on attributing the perpetrator to the victim and naming the possible damage that has occurred.
Your Benefits at a Glance
Percise and unmitigated execution of forensic investigations.
Double-verification approach in all documentation activities.
Experienced forensic investigators in industry-standard approaches.
Quick and concise investigations for critical cases.
Frequently Asked Questions
A certified and experienced Forensic Investigator should be considered for a Forensic Investigation in any case involving digital information and its perserving for regulatory, saturatory or legal obligation. A Forensic Investigation might be necessary in case of a Cyber Attack, illegal activities of employees or in case of internal audits.
Stop! Do not try to change or compromise the possible source of evidence in any way. All activites performed on a computer might change the state and render present artefacts useless for a forensic investigation. Contact your IT department and immediately consult a certified expert, like the ones provided by DriveByte.
A forensic investigator of DriveByte will physically examine the possible evidence at the customer location and acquire any sources of the evidence without altering or compromising the source. If a direct collection is not possible, a forensic expert will guide the customer through the acquisition process. A secure transport is then organized by the logistics partner of DriveByte.