What should the client expect when engaging a computer forensic expert to investigate a computer hack?

you have been hacked

Some computer forensics examinations are aimed to help experts investigate hacking attempts of computers, mobile phones and other digital devices with an operating system. In Microsoft Windows-based computers for example, the digital forensic expert, among other things, may analyse numerous sources such as registry, event logs and memory dumps in order to find traces typical to various tricks used by hackers to penetrate the client’s computer system. In this particular case, the expert will look at various artefacts located inside Amcache, Shimcache, Syscache, BAM/DAM, AppInit DLLs, Change of default file association, scheduled tasks, remote connections (RDP, Remote Connection, TeamViewer, RATs and others), start-up tasks, browser extensions and so on in order to detect and discover any suspicious connections, malware, rootkits or scripts and analyse their behaviour.

Computer forensic reports do not represent the view of the commissioner of the report despite the fact that they pay the bill. Expert reports only reflect the logical analysis of the digital artefacts found in all the examined digital media.  The findings and conclusions may not necessarily be favourable to the client or the commissioner of the report. No computer forensics company can accept work based on pre-determined results that the commissioner wishes or favours.

The experts’ analysis of the material found in the digital media and their interpretation thereof as well as their professional opinion, must conform to certain established standards. Therefore, they must be guided by facts and the context in which certain digital forensic artefacts are found in computer systems and mobile devices. The findings and the expert comments in the final report, may support the client’s case or have a neutral effect on it. Occasionally it may not even help the client’s case depending on what is found and how the findings are interpreted and expertly presented based on the facts on the ground.

Furthermore, the client or the commissioner of the report cannot dictate how the investigation or the forensic examination should be done or where to start from. They can of course, determine the terms of reference and the objectives of the investigation but not the method and/or the tools. For example in a typical case, we will definitely investigate the IP address the client has provided but once the investigation is underway, we may find that this IP address is just a transient/ephemeral server IP address that no longer exists. Another possibility is that the IP address in question is just the IP address of a firewall or a proxy server or a VPN IP address which may come to nothing to help identify the source of the fraud or the breach. Alternatively, the forensic experts may find out that there are other things that they have to consider or other methods to use. This may help the expert to achieve the attribution of the fraud and/or discovery and identification of the fraudster along with his or her location, server, firewall or internet service provider.

Leave a Reply