Forensics

Computer Crime

The vast majority of information in the workplace is now stored on PC's and servers, suggesting that no internal investigation of any form should ignore digital evidence. Industrial espionage, employee misconduct and intellectual property theft are among the computer security incidents that increasingly plague corporate organizations.

Erasing or deleting a file does not remove it from the hard drive but merely allows the space that it occupies to be available for future storage. The file may exist for a very long time before it eventually becomes over-written.




Computer Forensics:

It is commonly defined as the collection, preservation, analysis and court presentation of computer-related evidence. Courts mandate the proper seizure and analysis of computer evidence in any investigation where a computer is the means or the instrument of a crime.

The most important tool for a computer forensic investigator is the software used to perform the investigation. Without specially designed computer forensic software, there cannot be a true forensic analysis. FSG has this software.

An important feature of computer forensic software is a verification process that establishes that the investigator did not corrupt or tamper with the subject evidence at any time during the investigation. The software employs a standard algorithm to generate an image hash value by calculating a unique numerical value based on the exact contents of the subject disk drive. If only one single bit of data changes, such as adding/deleting a character or changing the case of a character, the hash value is now different indicating the evidence has been tampered with.

The most common hashing process in use today is the MD5 - Message Digest number 5 - which is based on a publicly available algorithm developed by RSA Security. The odds of two computer files or two images of drives with different contents having the same MD5 hash value is approximately ten raised to the 38th power (1 followed by 38 zero's).

For purposes of comparison, a billion is 1 followed by only 9 zero's.

Remember ...all keystrokes, anything viewed on the monitor, every inter-office memo and all information coming from the Internet has at one time or another been stored on the computer's internal hard disk drive. There is a high probability that a great deal of this information can be recovered and investigated - even though it has been previously erased or deleted !

It is important that we be called into the case as soon as possible when there is a possibility that digital evidence is at stake. Remember, acquiring evidence from a computer hard drive is relatively inexpensive and well worth the insurance should it become necessary to proceed with the more involved key-word evidence search later on.

  • Whenever there is a need to analyze information, FSG will work together with the client using specifically approved forensic software to search for key-words & evidence relevant to the case, after which we will issue a detailed report to present our findings in a court of law.

In respect of this service, we emphasize the following:

  • FSG is willing to carry out our work under the scrutiny of your clients security personnel.
  • We will acquire evidence from the subject hard drive using approved forensic software.
  • All evidence acquired will be encrypted allowing only FSG and authorized client access.
  • FSG will proceed, when instructed, to search for evidence related to the case.

Post Acquisition Service:

We have the tools to probe into data stored on computer disks whether it be in hidden or deleted files. FSG is skilled in finding related information that you specify using powerful Key-Word search algorithms. We can testify in court as to the method and validity of our recovery techniques.

Please note :
Forensic Services Group has worked together with Hong Kong security companies to uncover computer-related criminal activities.

Please contact Forensic Services Group (Hong Kong) as your next technical consultant !