Scope of Service
The scope of the Cyber Forensics service may include one or more of the following:
-
Computer/Disk Drive Forensics
-
Email and Social Media Forensics
-
Database Forensics and eDiscovery
-
Digital Device Forensics
-
Computer Forensic Readiness Assessments
-
Computer Expert Witnesses
-
Source Code Forensics and Analysis
Cyber Forensics and Investigation Process
The process of Cyber Forensic service consists of the following steps:
Step 1: Identification
In the identification phase, the following steps will be taken:
-
Verify the incident has taken place in particular scenario.
-
Determine the breadth and scope of the incident.
-
Focus on the nature of the case and its specifics.
-
Determining the characteristics of the incident and defining the best approach to identify, preserve and collect evidence.
-
Gather data about the specific incident and describing the system role in the organization and in the network.
Step 2: Data Acquisition
In this step, Ingram Micro team will performing the following:
-
Identify possible sources of data, acquire volatile and non-volatile data, verify integrity of the data and ensure chain of custody.
-
Prioritize the evidence collection and engage the business owners to determine the execution and business impact.
-
Volatile data to be acquired are network connections, ARP Cache, Login sessions, logs, running processes, open files and contents of RAM and other pertinent data.
-
Clearly describe the how evidence was found, how it was handled, and actions that happened to it.
Step 3: Recovery
In the Recovery step, Ingram Micro Team will recover data from the file systems of the system in scope using different tools such as (Sliethkit etc.) to analyse the file system, data layer and metadata layer, Analysing the slack space, unallocated space and in-depth file system analysis.
Step 4: Forensic Analysis
After the evidence acquisition, Ingram Micro team will do investigation and analysis in their specially built forensic lab. In this forensic analysis we will use different strategies and techniques with unique procedure. These are explained below:
Timeline analysis:
This step is very crucial and useful because it includes information such as files modified, accessed, changed, and created in Human Readable Format. In memory artifacts timeline analysis is very useful in reconstructing the case. At last we need to generate a snapshot of the activity done in the system including its date, the artifact involved, action, and source.
Artifact Analysis:
In this step, we will extract more information about the case related to what programs were executed, which files are infected/dropped/executed, which directories created/deleted/modified, user browser history and many others information.
Step 5: Reporting
In this phase, we will report the results of the analysis. This may include description of actions performed, and determining other actions that need to be performed and give recommendations to improve policies, guidelines, procedure, and tools. Ingram Micro Team will provide detailed report to be used as evidence for legal or administrative purposes.
Deliverables
Upon completion of the Cyber Forensics Investigation, a detailed report will be provided to the customer including the following:
Executive Summary: Summary of the purpose of this assessment, as well as brief explanation of the threats that the organization is exposed to from a business perspective.
Findings: A detailed technical explanation of the findings with evidence steps and proofs of the investigation process.
Explanation: Depending on the forensics case and customer requirements, a detailed explanation and report will be provided.
Service Delivery Time
The Cyber Forensics service can be completed in five business days.
Book Assessment Services from Ingram Micro