Digital Forensics

Does your organization suspect that:

  • Internal data has been stolen, deleted or tampered with?
  • Computer systems are behaving strangely with IT pointing to a possible undiscovered malware infection?
  • Networks behaving erratically (data transfers detected at odd hours)?

DFIR Vietnam can help companies and individuals looking for answers related to events where digital equipment (computers, mobile devices, servers) are suspected to have been used as tools/accessories to crimes or contract breaches. These could be investigations of alleged theft of intellectual property, security breaches on systems and networks, or just suspect behavior of systems or employees.

We achieve this by professionally identifying and preserving the state of relevant IT devices by taking snapshots of the suspected digital equipment (in a non-destructive manner) and then analyzing that information. Our analysis includes hundreds of different operations including probing system for deleted files to recover (file carving), checking usage logs, removable media usage, installed / uninstalled software…

The main deliverable is a report and event timeline with tailored to the client requirements with concrete facts around the alleged case. This report can be used internally or for litigation support services if required.

In all cases, the facts available on a forensic analysis will depend on the information at hand. An investigation has more chance to give useful results if the evidence is collected as close as possible to the event taking place  (the digital “footprints” being fresh on the ground). In those cases where this is not possible, as the event was discovered months later, a review of existing backups or current equipment images could be useful, but the level of forensic details will vary.

Our main advice is for customers on this situation to take forensic images as soon as possible. The best option is to take an image with specialized equipment (write-blockers) that will prevent any changes to the media under analysis.

If you can not engage a forensic specialist like us at the time, we would recommend to use DEFT Zero, a live USB distribution, alongside a portable USB drive in order to take a forensic image of desktops laptops or servers with a reasonable quality as soon as possible. Our forensic image tutorial is available here.

If you decide to engage us to work with you on a forensic investigation, we offer a variety of digital forensics services comprising both the acquisition of media (imaging), the analysis of the evidence captured and the reporting of data.