According to various industry studies, industrial espionage has grown so much in recent years that, in 2015, at least 4 in 10 companies complained of data loss or privacy breaches as a result of successful network theft and/or attacks.
Computer forensics aims to contain and often prevent data theft, industrial espionage, unauthorized access to corporate computer systems, computer damage, or to shed light where there is a need to unravel behaviors and facts involving the use of the information technology medium, providing the support the company needs.
The continuous evolution and complexity of information systems, as well as the shift of activities toward the digital world, has placed law firms in the position of having to resort to the support of a specialized technical consultant capable of extracting, analyzing and presenting, in a legal process, data in digital format by adopting scientific procedures useful for legally disproving any doubts regarding the validity of the result obtained.
In Italy, the landmark law that defines how to legally use the results of forensic analysis in court is Law No. 48/2008, known as the “Budapest Convention Ratification Law.”
Our approaches to analyzing information systems for possible malfeasance are different depending on the state of operation of the systems and the scope being examined:
- Retrospective analysis: This is an analysis performed with the machine off, after an offense has been consummated. This is the most common activity and normally involves the seizure of a hard disk (or storage device more generally), which is then later analyzed in a specialized laboratory.
- Live analysis: involves the use of analysis techniques on active systems. This is because some types of misdemeanors, such as flagrante delicto for abusive access to computer systems, require the extraction of traces that are not on hard drives but on RAM (Random Acces Memory), which is volatile and can retain the information contained as long as the system remains powered. In addition, often memory devices may be protected by encryption, and RAM analysis may also prove useful for detecting system access credentials.
- Disk forensics: extraction of information from hard drives, after cloning them by creating forensic (bit-to-bit) copies on which a multiplicity of analyses can be performed depending on the results to be obtained.
- Memory forensics: retrieval of information from a computer’s RAM, which has high volatility. Forensic analysis of a RAM memory can be particularly suitable for recovering system passwords or information about running processes, or even for SWAP Space analysis if performed in conjunction with Disk Forensics.
- Network forensics: analysis of network systems in order to highlight any evidence related to a specific case.
- Internet forensics: uses the techniques and methods of the other types of computer forensics, with the aim of highlighting offenses involving the use of the Internet medium: websites, e-commerce sites, social networks, etc.
