Forensic analysis is a science concerned with the search for evidence in digital media to understand behavior, remedy an incident and help make informed decisions. This evidence is traces, digital artifacts that provide information that, when put together, provides a factual scenario of events and answers questions that the plaintiff may have. Forensic analysis is called digital forensics, inforensics or computer forensics.
You have been the victim of an intrusion or any other computer security incident: workstations, servers, web site, mobile phones, IPBX... You suspect identity theft or a potential theft of confidential information.
AlgoSecure is one of the few companies in the Rhône-Alpes region to be certified in forensics by an internationally recognized organization: the GIAC.
We can help you retrieve digital evidence in accordance with legal procedures so that the evidence is admissible by a jury and therefore usable in a judicial investigation or trial.
In order not to distort the evidence, speed of response and adherence to a certain protocol are paramount. So don't wait too long before contacing us!
A digital investigation mainly takes place in two frameworks.
In a court case involving digital media searched for investigative purposes, the judge may call in a forensic expert to "make the media talk", and ultimately help the judge make a decision. A court expert is a natural or legal person, professional in a particular technical field, specially authorised to exercise his expertise in court cases at the request of a judge. His opinion is not binding on the judge, who is free to evaluate the elements provided.
In this category, the search axis are defined by the judge by questions such as: Who? When? Where? What?
However, if during the investigation, the expert finds elements that are criminally reprehensible (child pornography, breach of State security, etc.), even if they are not part of the guidelines previously indicated by the judge, he has a duty to bring them up.
This is most often found with companies in the context of incident response following an information system attack. The most common case is, for example, the ransomware infection of a company's information system.
In this type of situation, too, there are issues that analysts focus on according to the plaintiff's wishes. It may involve finding out who did what, how and when, and using these elements, understanding how to contain the incident and especially how to fix the situation as quickly as possible so that activity can resume as smoothly as possible.
As in the legal framework, any element found in the investigations which is criminally reprehensible is to be communicated to the plaintiff. The same applies to any deviation from the company's IT charter.
An forensic analysis mission is comprised of four main steps.
This is the stage where the investigators either search, if they're mandated, or simply receive the digital media to be analyzed. These are accurately identified (listing of hardware and software characteristics) and photographed.
Whenever possible, i.e. if the machine is running during acquisition, a capture of the live memory (RAM) is performed. It will later be used to perform a so-called live forensics analysis on a capture made while the target was running.
Analysts are also performing a copy and replication of persistent memory, especially hard drives. These copies will be used to perform an analysis called dead forensics. It is recommended that you make two copies of the original disks and never work directly on the original disk. One of the copies can then be used as a backup in case the other copy malfunctions.
After copying or duplicating a disk, always check the integrity and absolute correspondence with the original disk. This is done by comparing the fingerprints of the original disc with each copy.
Investigation is a true scavenger hunt. It is in this part of the mission that the analysts conduct searches to find answers to the questions posed by the plaintiffs. To do this, one can proceed as follows.
This phase appears according to the context; it will not take place in the context of a judicial investigation of a crime, for example.
In the case of a malware infection, the goal would be to stop the spread and to get the information system up and running if possible.
This report is written by the analysts team, and is a clear and supported presentation of the digital traces of the elements of answer to the initial questions. Its clarity and precision are necessary in view of the decisions that may follow, particularly in the context of a trial.
If this is a response to an incident, protective measures may be suggested to prevent a recurrence of the incident.
A digital investigation rarely proceeds under optimal conditions, mainly due to the following difficulties.
There are several advantages to conducting a digital investigation.
For a client, it may be:
More generally, the community potentially gets:
Specialists in information security in Lyon, Paris, Grenoble and Saint-Etienne in France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.