Computer Forensics

Our computer forensic services cover three data areas. Those areas are collected, decoded, analyzed and indexed in the DFIR-VN labs. These could be the at our offices or if the confidentiality of the data requires it, we could build a portable lab within customer premises.

Media forensics

This is the traditional storage forensics, covering hard drives (both magnetic and SSDs), USB removable devices and CD/DVD media. Whenever possible we capture this using forensic-grade equipment with our selection of write-blocker devices. Such a capture ensures that the original media is not modified, that media errors can be corrected and allows capture of hidden areas like the Host Protected Area (HPA) and the Device Configuration Overlay (DCO). If this is not possible (as it requires components to be extracted from servers/desktops), we can still perform a  software read-only capture, but this may not be as accurate.

Memory forensics

This is only performed on machines that are powered on and running, and that they are suspect of malicious behavior or to have been used to run software without installing it (for example using portable apps from a USB device). This capture could be done with special tools (like dumpit on Windows – https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c) or if virtualization is used (like vmware, KVM or Xen) a memory snapshot can be taken directly using the configuration interface.

Backup forensics

While disk and memory forensic images are useful to get a detailed current snapshot of system states, the DFIR VN team can also analyze existing backups. There are two types of backups we encounter in our engagements:

  1. The first one are filesystem backups, that image the whole disk allowing reinstall onto bare metal. Our usual analysis is to take the backup and restore it onto a virtual disk image of equal size of the original disk, mark that as read-only and then image that virtual disk using standard media forensic tools. We have used Veeam, Acronis and Time Machine, but we are able to use any restore live CD or DVD in order use any format required.
  2. The second one are file or directory backups, normally onto local storage or cloud services. Depending on the setup, these may include file versioning. In this particular case we would just ingest these files onto our indexing systems and analyze the file metadata.