Category: Forensics

Forensics Steps: Imaging

Over the past 18 months, our profile in IT forensics has been raised a bit. What started out sometime back as a call to me on a Saturday from another partner, asking “Can you guys recover deleted files from a computer?”, turned into another journey that eventually created our relatively new technical services group catering to IT forensics and penetration testing services. So aside from CISA for auditors and assurance, we ended up with CHFI guys, and CEH guys. More acronyms usually make us more technical sounding.

On a serious note, IT forensics is relatively new; and we didn’t go into it totally without guidance. We’ve worked with Cybersecurity, and still do, especially during the acquisitions and analysis. Recently, we’ve got in a few devices ourselves, namely the Tableu TD2 and writeblocker to do some serious work with imaging. Before this, we primarily used FTK and USB based imaging, and using software writeblocking through the registry. It was fine, but it wasn’t something that we could do long term, especially looking at a job where we had to image 30 hard drives in 2 days. While we roped in our partners to help out, we also used our TD2 to good effect, and happy to add, that we’re ready for bigger projects.

Imaging itself is simply half the job done. In fact it’s just a part of it. We’ve also had to physically tag, inventorise, chain of custody, secure the physical evidence through tamper proof tapes and bags. Once imaged, we have to verify the image for integrity through a hash check and then secure the original evidence under lock and key. The original evidence, in this case, we sent back to the owners, along with the chain of custodies.

While you might think imaging is relatively simple, it’s tedious. In this case, we had a server where we had to image live, in order not to break the RAID. Live imaging is a pain, because it takes enormous amount of time to get it done. Sometimes, we face hours of imaging and at the end of it, it says that the disk is corrupted.

But overall, get the documentation right, and make sure the images are secured. These will be the images where we will run analysis with, so take it as seriously as a primary evidence.

Once this portion is done, we are looking at analysis, which constitutes a whole other chapter. CSI, this is not, I guarantee you. Most of the time, we’re looking for a needle in a barnyard of haystacks. The proverbial smoking gun. Usually we don’t find it, so I don’t quite believe how CSI New York can solve a case in 45 minutes, built on a hair found conveniently trapped within the car door. Which has been burnt and sunk. And scrapped into a million pieces and left in the trash for 20 years. Seriously, Hollywood.

From the hours of bleary eyed reviews of thousands of lines of files and emails and patched up text files, we can use bits and pieces, but it’s usually not as rewarding as our CSI bedfellows.

If you need any more information or services regarding IT forensics or data recovery, do let us know at


Web Trawling: Your life is on the Net

I remember, almost 20 years ago, a movie called “The Net” came out, starring Sandra Bullock. It was one of the first few movies dealing with information security and theft, and invalidation back in the heydays, when we thought the internet was a new brand of spandex.

Fast forward 20 years and here we are. The information highway was incorrectly named. It wasn’t a high way, or even a super highway. It is now an intergalactic, hyperspeed wormhole that every single imaginable information is being collected and stored, and waiting to be trawled.

Trawling is a term we often use when we want to find out more about certain people or things on the internet. We use specialised tools to help us create informational relationships, connecting the dots.

In Avant Edge, we do quite a bit of forensics work. Part of forensics is actually forming the context. If it is an individual, we’d like to know not just what’s in his laptop, but his online habits, the forums he has posted, whether he is active in the social network, who has he been in frequent touch with; and whether he eats green or red apples. So it has to be the CIA or FBI then, right?

Nope, because most information can be obtained freely on the net. It’s scary. You can basically vanity search your own name and you’ll be surprise what’s out there. Private investigators can now conjure up scenarios based on bits and pieces found on the internet.

Web Trawling could be another branch of information audit we will be including for 2013. With some customised tools, we can basically craft relationships of an entity as we trawl entirely through the internet.

Here’s a very scary proposition, illustrating our idea:



© 2024 PKF AvantEdge

Up ↑