Forensic Analysis

Essentials

Forensic Analysis is the use of controlled and documented analytical and investigative techniques to identify, collect, examine, and preserve digital information. Recognizing the fragile nature of digital data, and the legal and regulatory requirements to properly preserve electronically stored information (ESI) during forensic investigations, SecureState maintains standards relating to protecting ESI against manipulation or destruction.

When an incident occurs, the Incident Response Team may deem it necessary to perform a forensic investigation based upon legal, financial or regulatory requirements. The purpose of forensics is to determine actions, motives, vectors, effects, and evidence for incidents, misuse, theft, or fraudulent activities.

Benefits

In the event of an adverse incident involving an organization, whether it is an external breach, an internal intellectual property theft, or an employee Internet abuse case, data must be preserved and analyzed in order to determine the actions, motives, vectors, effects, in addition to collecting evidence. SecureState has one defining principle for Forensics: Be repeatable and defensible. SecureState’s Incident Response Team forensically collects evidence to maintain the integrity and reliability of the data. All efforts are made to ensure evidence is not altered, modified, or corrupted. SecureState’s evidence collection policy is established to protect the integrity, original-state and confidentiality of sensitive, regulatory, confidential or proprietary information, including HIPAA, PCI, PI and PHI, and to comply with legal or regulatory requirements.

Expertise

SecureState’s Incident Response Team is comprised of industry experts with experience in Military Intelligence, Law Enforcement, and Big X Consulting. Members of our Team have been involved in the acquisition and forensic analysis of data in high profile events including the Space Shuttle Columbia Disaster. They have coordinated Incident Response teams that included FEMA, AFCERT, and DHS against inclement weather, terrorist activities, and world-wide threat events. Several members of the Team have high-level government security clearances and are trusted with the nation’s most classified secrets. Our strategic partnerships with the FBI, DHS, US-CERT and InfraGard permit SecureState to obtain the latest cutting-edge and persistent attacker techniques and exploits, which gives us the information necessary to identify those attacks, contain and eradicate them. This information is restricted to only certain, and trusted individuals in Information Security allowing SecureState to stay ahead of the competition. With unimpeachable ethical standards and unsurpassed technical skills, SecureState’s Incident Response Team is ready to assist with even the most complex businesses’ information security readiness and response.

Services

Forensic Analysis is essential in a variety of data-theft incidents, litigation matters and enterprise-wide investigations. SecureState employs industry-approved and professional-grade acquisition, collection, verification and analysis tools. SecureState’s Forensics and Incident Response kits contains the latest in proven, tested and trusted technology with imaging rates around 10 gigabytes per second, and ability to collect system and network artifacts across an organization within hours. This allows rapid analysis and acquisition of systems and evidence without losing integrity, accuracy, or business processing time. SecureState’s Forensic Analysis services include:

Proprietary Information Theft Reconstruction and analysis
Deleted Data Recovery and Analysis
Expert Witness Testimony
Data Preservation
Mobile Device Acquisition and Analysis
Computer and User Artifact Reconstruction
Network, End-node and Application Response
Identification and Eradication of Malicious Code
Staff Augmentation to support the Organization’s Response Team
Reverse Malware/Virus Analysis
Digital Surveillance, Tracking, Auditing and Logging
Memory Acquisition, Extraction, and Analysis
Anomaly-Based and Timeline Analysis

Get Help NOW!

Did You Know?

Common Misconception:

Most organizations have the expertise and necessary tools to perform repeatable and defensible investigations

Reality:

Organizations have personnel that can technically troubleshoot network and system issues, but rarely understand forensically-sound collection and analysis

Facts:

Any investigation on systems or devices affects evidence and therefore the accuracy of analysis
SecureState maintains a facility that is designed to the specifications required for Sensitive Compartmented Information Facilities (SCIF).
SecureState integrates only the best tools within our forensic arsenal such as Guidance Software, AccessData, Paraben, F-Response, and SIFT
Our incident response personnel and forensic experts maintain some of the toughest certifications around; GCIH, GCFA, GCIA, GREM, CISSP, GPEN and others

Our Approach and Methodology

Forensic analysis is the use of controlled and documented analytical and investigative techniques to identify, collect, examine and preserve digital information. SecureState provides a thorough approach to the forensic methodology, and ensures all tools, methodologies and processes are forensically sound and unaltered. SecureState works as an extension of the corporation’s response team to help ensure relevant and efficient analysis for three primary areas of forensics: Evidence Acquisition, Evidence Analysis, and Evidence Reporting.

Forensic Acquisition: Computer Forensics Acquisition is the process of acquiring electronic evidence in a manner that preserves the data and maintains chain of custody. SecureState establishes tested and proven acquisition methodologies, information gathering and structured reporting of security related events. Electronic evidence contains the information needed to understand how the events happened, resources or data that may have been affected, and mitigation strategies. It is essential that electronic evidence is acquired in a methodical, safe, and secure manner.

Evidence Collection: All evidence collection procedures are reviewed by SecureState’s Incident Response Team before acquisition begins. As deemed appropriate, SecureState is the custodian of data and the handler for response, evidence collection and retention, and data or device analysis. All imaging, data collection and documentation will be observed and supervised by a SecureState Lead Investigator.

Forensic Analysis: The primary scope for Forensic analysis is to identify unauthorized or anomalous indicators that exist past or present, how they were deployed, and what capabilities they might have had on the system. After identifying if a successful compromise or malicious software exists, SecureState’s primary focus would be directed at determining applicable next steps relating to regulatory or legal compliance, as well as business impact and risk. Applicable next steps would involve additional forensic acquisition and documentation, collecting and identifying the initial intent of the compromise, remediation, and determining if any private, regulatory or sensitive data was captured or modified.

Documenting and Recording: All details, facts and processes will be documented as soon as the Response Team begins analysis on a potential incident or forensic investigation. SecureState will incorporate appropriate media for logging the incident process such as host records, tagging and labeling systems. Every step taken from the time the incident was detected and recorded to its resolution will be documented, time stamped, reviewed, and signed by the incident handler. Since documentation is an ongoing process throughout the examination, it is vital to be complete, accurate, and comprehensive during the reporting process. SecureState will safeguard data related to incidents since it will contain sensitive system or personnel information, data on exploited vulnerabilities, or information that may be needed for law enforcement. To reduce the risk of sensitive information being disclosed, SecureState ensures that access to incident data is restricted and properly stored. In accordance with applicable policies, rules, regulation, or other governing requirements, SecureState is responsible for the secure and timely delivery of its investigation reports, final incident reports, and all other reports required in accordance with the Incident Response Policies.

What Makes Us Different

With top industry certifications and clearances, SecureState’s incident Response experts can assist in the forensics of computer investigations, email, intellectual property theft/corporate espionage, and deleted file recovery. SecureState approaches computer forensics by exceeding the methodologies set forth by industry standards and regulatory requirements. In fact, SecureState develops its own policies and investigation protocols through a well-integrated mix of best practices, case law, and subject matter experts in the areas of audit and compliance, risk, and ethical hacking.

SecureState has helped develop, implement, and sustain organizational policies and government regulations that require computer forensic investigations and have been the case lead and primary technical point of contact for investigating system intrusions, fraud, system abuse, intellectual property theft, harassment, regulatory compliance, and many other Internet and insider-based crimes. SecureState professionals are well trained on incident response, but also are well versed in all aspects of security; we use this integration to help provide in-depth investigations into the origin of an incident, what data may be affected, the impact to the organization, and if the analysis should dictate a regulatory or legal response:

SecureState only employs experts with prior military experience, background checks, security clearances, and some of the toughest security and regulatory certifications around.
SecureState relies on many CME’s from all supporting fields and practices to ensure the data, information, and analysis is accurate and thorough
SecureState offers many digital forensic services, including computer forensics, network forensics, mobile device forensics, media forensics, and forensic data analysis.
SecureState’s Computer Forensics Team works closely with the other teams at SecureState by integrating services, expertise, industry-approved policies and methodologies, and regulatory or government regulations.
SecureState has developed forensic methodologies that are required or driven by regulatory guidelines such as PCI, PHI and privacy laws.
SecureState ensures lessons-learned meetings integrate forensic acquisition, tracking, management and validation within the organization’s Incident Response program
SecureState maintains a facility that is designed to the specifications required by Director of Central Intelligence Directive 6/9 Physical Security Standards for Sensitive Compartmented Information Facilities (SCIF).