Digital Forensics

Our Areas Of Expertise Include: How Does Computer Forensics Work? What Next?

What Is Digital Forensics?

Digital forensics is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.

The goal of digital forensics is to perform a structured investigation and maintain a documented chain of evidence to find out exactly what happened on a computing device and who was responsible for it.

Importantly, the process should be clear and repeatable so that whoever undertakes the investigation arrives at the same conclusion.

Essentially, digital forensics is data recovery with legal compliance guidelines.
It should be noted that the use of digital forensics isn’t always tied to a crime.

What Can You Expect From A Digital Forensic Investigation

At CyberWhite, our experts can help you recover, extract, investigate and analyse evidence from working and non-working (mechanically failed), deleted and corrupted digital data storage devices, including cloud-hosted locations that may have been used during an incident, to determine and report the who, what, when, where, why and how of an incident.

Questions Addressed During A Typical Investigation Include:

Who opened, executed, emailed, copied or deleted the data – to who was the data sent, and who else was involved or had access to the device or data?

What data was accessed, copied, sent, printed, screen captured, deleted, obfuscated, password protected or encrypted – what applications or devices were used, what programs were installed, deleted or uninstalled, what other data could have been affected, what websites, social media, online communication, forums, file storage sites etc. were visited, what was posted or uploaded, what was the sequence of the events?

When was the data accessed, copied, sent, printed, screen captured or deleted – when were the applications or devices used, installed, deleted or uninstalled?

Where else is the data located? Where was the data sent, uploaded, copied or printed to?

Are there any correspondence, metadata or activity logs that could assist in answering this question?

How was the data accessed or compromised, how did the data get on or off the device, how did the person communicate with other people?

Our Areas Of Expertise Include:

Onsite, remote and in-lab data acquisition from almost all types of digital storage devices. We can also review forensic images that have been created by third parties.

Forensic data extraction from faulty and difficult to access storage devices.

Computer Forensics (Windows, Mac, Linux etc.)

Mobile Device Forensics (Android and IOS devices – smartphones, tablets, GPS devices, Kindle, Media devices, SIM cards etc.).

Cloud Forensics (Apple, Amazon Web Services (AWS), Box.com, Dropbox, Facebook, Instagram, Twitter, Uber, WhatsApp, G Suite, Gmail, Microsoft Azure, Office 365, Office 365 Sharepoint, OneDrive, Microsoft Teams and Slack). Some applications may require administrator or user credentials depending on the service.

Email Forensics (MS Exchange, Outlook, Gsuite, Gmail, Office 365 etc.)

Drone Forensics.

IoT Forensics.

Memory Forensics (Windows, Mac, Linux).

Database Forensics (MSSQl, MYSQL etc.).

How Does Computer Forensics Work?

Our forensic investigators typically follow standard procedures, which vary depending on the context of the forensic investigation, the device being investigated or the information we are tasked with finding. In general, these procedures include the following three steps:

Data collection

Electronically stored information must be collected in a way that maintains its integrity. This often involves physically isolating the device under investigation to ensure it cannot be accidentally contaminated or tampered with. We make a digital copy, often referred to as a forensic image, of the device’s storage media. Once this process is complete, the device is stored in a secure location to ensure it is not accessed until the investigation is complete. The investigation is then conducted on the forensic image. In other cases, publicly available information may be used for forensic purposes, such as social media posts.

Analysis

We then proceed to analyse the forensic image in our forensic lab, evaluating and compiling evidence. Various tools are used to assist in this process, including Autopsy, Wireshark, Encase, FTK, Magnet AXIOM and Oxygen.

We use multiple tools to validate the results.

Presentation

Once the investigation is complete, our findings are presented to you in a clear, easy to understand report.

The original device is also returned to you along with the forensic image.

What Next?

If you have an incident where you believe you may require forensic assistance, please call us immediately.

We’ll talk you through the process of securing the evidence, including talking you through what to do if the device is still connected to power.

Alternatively, contact us for a free copy of our “Securing the Scene” worksheet.

Please complete the form below to find out more.

What Our Clients Say

“CyberWhite have been a pleasure to deal with by repeatedly demonstrating their professionalism and technical knowledge throughout the procurement process and execution of our project. From initially exploring our goals to a consultant working with us on-site and remotely, we’ve enjoyed a positive experience that has ultimately benefited our organisation and helped to improve our Cyber Security posture.”

Head of Network and Infrastructure

View our video Testimonial from Clear Links by Gerard Norris, Central Operations Manager

Gerard Norris, Central Operations Manager

View our video Testimonial from Hays Travel by Ken Campling, Group Finance Director

Ken Campling, Group Finance Director

“I would like to say a thousand “thank you’s” to CyberWhite after rescuing us from the commercial disaster we faced after being subjected to a very sophisticated fraud. Without the timely involvement and expertise from CyberWhite, we would undoubtedly have faced catastrophic consequences including a significant financial loss and possibly a forced closure of the business. We will always remember the kindness and professional approach taken by the CyberWhite team. They were able to successfully recover the critical data which was the life blood of our business. This expertise has allowed us to continue trading and provided us with the additional benefits of ensuring that we are more cyber risk aware and we now have a security partner to support us.”

Jon Moore, Director

Our video Testimonial from Mental Health Concern (NHS) by Lawrence Thompson, Head of IT

Lawrence Thompson, Head of IT

“As an Operator of Essential Services, PX Group comply with advice provided by recognised security bodies such as NCSC. The advice is relevant to all organisations who provide infrastructure or support to the UK’s critical national infrastructure. PX Group engaged CyberWhite to undertake Third Party Security Audits (aligned to ISO28000:2007) against key suppliers who had access to information assets within the PX Group domain. CyberWhite created a comprehensive audit document set and supported this with interviews and visits in order to validate responses. The output from CyberWhite was comprehensive and provided security assurance to PX Groups stakeholders and interested parties that the key suppliers had a focus on security and understood and could demonstrate best practices in relation to the handling of PX Groups information assets. This process has been invaluable in validating what we believed and providing a platform from which we will continue to assess, review and benchmark all parties in our information supply chain.”

Lee Farrow, ICT Network & Security Specialist