Computer Investigations: Remote Digital Forensics by Jason Hare

Computer Investigations: Remote Digital Forensics

There are many instances when forensic investigations need to be conducted covertly. For instance, corporate internal investigations where issues can include theft of IP, fraud and sabotage often require a covert approach, to enable business to continue as usual and to ensure that those under suspicion are not aware that they are being investigated.

We have worked on a number of engagements where the key requirement has been for the investigation to be conducted covertly. Covert investigations can be conducted in two ways: dead box – getting direct physical access to the device in question while the user is away, and taking a forensic image of it for further investigation; or remotely, over the network without physical access to the device.

The dead box route may only prove to be partially successful. With more and more employees now working primarily on mobile devices – laptops, tablets, smart phones, remote investigations are becoming an increasingly important method of investigation. Storming into offices at the dead of night may not be as useful as it was 10-15 years ago where the majority of people used a desktop.

We have conducted many remote investigations for clients. Launching a remote investigation involves implementing an investigative infrastructure within an organization corporate network, which then allows investigators to remotely acquire data from custodians’ laptops, or other devices, when they are connected to the corporate network.

This is achieved by deploying what is essentially a ‘Trojan’ to the devices (a Trojan which is secure and fully under our control), that we are able to access and acquire data from user devices without their knowledge. This has proved particularly useful when the suspects were remote workers, or even when custodians are based in different countries.

Files, emails, web browsing history…this can all be investigated without even touching (or being anywhere near) the device itself. This data can subsequently be examined through keyword searching to confirm suspicions or even potentially uncover other avenues for investigation.

So while not as action-packed as bursting into the swish offices of a mega-company at the dead of night to take copies of the devices involved, and sneaking around to make sure no one notices anything has happened, remote forensics can be a useful method of investigation when physical access to the device just isn’t feasible. Whichever approach – it is important that it is done in a forensic manner, ensuring all possible data and metadata is preserved and that the process is fully defensible should the integrity of the evidence ever be questioned.

For more information on social media investigations, computer investigations, digital forensics, or any of CCL’s products and services, call us on 01789 261200, email info@cclgroupltd.com or visit http://www.cclgroupltd.com/digital-forensics,

Author:
Sara is a digital forensics specialist at CCL Group - the UK’s leading supplier of electronic disclosure and digital forensics consultancy, including: computer forensics, mobile phone forensics and digital investigation services, for more information visit www.cclgroupltd.com

Sponsor Ads