Computer forensics investigation

Computer forensics

Forensic analysis is a science concerned with the search for evidence in digital media to understand behavior, remedy an incident and help make informed decisions. This evidence is traces, digital artifacts that provide information that, when put together, provides a factual scenario of events and answers questions that the plaintiff may have. Forensic analysis is called digital forensics, inforensics or computer forensics.

You have been the victim of an intrusion or any other computer security incident: workstations, servers, web site, mobile phones, IPBX... You suspect identity theft or a potential theft of confidential information.


AlgoSecure is one of the few companies in the Rhône-Alpes region to be certified in forensics by an internationally recognized organization: the GIAC.

We can help you retrieve digital evidence in accordance with legal procedures so that the evidence is admissible by a jury and therefore usable in a judicial investigation or trial.

In order not to distort the evidence, speed of response and adherence to a certain protocol are paramount. So don't wait too long before contacing us!


Frameworks for intervention

A digital investigation mainly takes place in two frameworks.

Legal framework

In a court case involving digital media searched for investigative purposes, the judge may call in a forensic expert to "make the media talk", and ultimately help the judge make a decision. A court expert is a natural or legal person, professional in a particular technical field, specially authorised to exercise his expertise in court cases at the request of a judge. His opinion is not binding on the judge, who is free to evaluate the elements provided.

In this category, the search axis are defined by the judge by questions such as: Who? When? Where? What?

However, if during the investigation, the expert finds elements that are criminally reprehensible (child pornography, breach of State security, etc.), even if they are not part of the guidelines previously indicated by the judge, he has a duty to bring them up.

Non-legal framework

This is most often found with companies in the context of incident response following an information system attack. The most common case is, for example, the ransomware infection of a company's information system.

In this type of situation, too, there are issues that analysts focus on according to the plaintiff's wishes. It may involve finding out who did what, how and when, and using these elements, understanding how to contain the incident and especially how to fix the situation as quickly as possible so that activity can resume as smoothly as possible.

As in the legal framework, any element found in the investigations which is criminally reprehensible is to be communicated to the plaintiff. The same applies to any deviation from the company's IT charter.

The steps of a digital investigation mission

An forensic analysis mission is comprised of four main steps.

This is the stage where the investigators either search, if they're mandated, or simply receive the digital media to be analyzed. These are accurately identified (listing of hardware and software characteristics) and photographed.

Whenever possible, i.e. if the machine is running during acquisition, a capture of the live memory (RAM) is performed. It will later be used to perform a so-called live forensics analysis on a capture made while the target was running.

Analysts are also performing a copy and replication of persistent memory, especially hard drives. These copies will be used to perform an analysis called dead forensics. It is recommended that you make two copies of the original disks and never work directly on the original disk. One of the copies can then be used as a backup in case the other copy malfunctions.

After copying or duplicating a disk, always check the integrity and absolute correspondence with the original disk. This is done by comparing the fingerprints of the original disc with each copy.

Investigation is a true scavenger hunt. It is in this part of the mission that the analysts conduct searches to find answers to the questions posed by the plaintiffs. To do this, one can proceed as follows.

  1. Establish a timeline of events from previously acquired persistent media: an ordered history of events systems, applications, disks, users and others. By focusing on the period of interest given by the plaintiff during the initial exchange, this timeline can already provide leads. However, not all this initial information is to be taken as absolute truth, and one can allow oneself a margin of a few days over the period indicated by the plaintiff.
  2. From the recovered data, we can already identify a scenario skeleton. One must browse through all available types of artifacts to identify elements that either confirm or disprove the first hypothesis. Live forensics analysis and dead forensics analysis results are to be correlated.
  3. At this point, the initial hypothesis has potentially generated new scenarios. These are also to be demonstrated on the basis of artifacts. This phase and the previous one are to be repeated until no new hypotheses can be established.
  4. All of this allows one to deduce a logical sequence of events that tend to give a proven factual conclusion: the final scenario.

This phase appears according to the context; it will not take place in the context of a judicial investigation of a crime, for example.

In the case of a malware infection, the goal would be to stop the spread and to get the information system up and running if possible.

This report is written by the analysts team, and is a clear and supported presentation of the digital traces of the elements of answer to the initial questions. Its clarity and precision are necessary in view of the decisions that may follow, particularly in the context of a trial.

If this is a response to an incident, protective measures may be suggested to prevent a recurrence of the incident.

Constraints and difficulties

A digital investigation rarely proceeds under optimal conditions, mainly due to the following difficulties.

  • Impossibility to access all necessary event logs due to insufficient data retention policies.
  • Impossibility to access RAM, the machines often being turned off at the beginning of investigations (this is still the right thing to do in the case of ransomware).
  • Intervention planned for an insufficient timeframe to obtain a complete and fruitful analysis.
  • Difficulties in sorting out relevant information from the large amount of data available.
  • Difficulties in assessing the full extent of an attack, especially on large information systems.

Forensic: advantages

There are several advantages to conducting a digital investigation.

For a client, it may be:

  • to find answers to the questions he was asking himself,
  • to make informed decisions or judgments based on factual evidence,
  • to resume the company's activity serenely.

More generally, the community potentially gets:

  • the discovery of new Indicators of Compromise (IOC)
  • the strengthening of the content of Threat Intelligence, arising from the first point,
  • the prevention of attacks in other contexts arising from the first two points.

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.