Digital technology continually advances, and so do the tactics of cybercriminals. Well-organized gangs of cyber extortionists plunder billions every year. Among the most sensitive points of attack are databases and hard drives, which, due to their structure and, more importantly, their storage technology, contain vulnerabilities. This means related data sets are not always in physical proximity; they are fragmented and scattered throughout the system. This fragmentation occurs in free storage areas within a cluster (File-Slack) or because, in a storage process, only the last sector of a file is filled, utilizing arbitrary data from RAM (RAM-Slack). Another instance is when arbitrary data from the disk is used in this process (Drive-Slack).
Various types of hard drives, such as HPA drives, offer the option to hide the upper part of the hard drive. For operating systems and programs, this is usually invisible and cannot be altered. These areas can be used primarily for system restoration or configuration data. What interests the computer forensic expert here is that evidence might be hidden in these locations. Securing this evidence—with specialized forensic software and a method assigning a unique code to a physical or logical copy of a system—is crucial. It’s the only valid means of evidence in court!
Similar to HPA hard drives, the same applies to DCO hard drives. Removing the upper part of the hard drive can permanently alter the total information on the disk and destroy all evidence. Therefore, the rule for IT administrators is: hands off when there’s suspicion of data theft and cybercrime! On the other hand, contaminating the crime scene complicates the work of the cyber-forensic expert. Even with SSD memory cards, data may persist after overwriting, as it’s indeterminable which memory cells are addressed due to the Wear-Leveling mechanism. To be absolutely sure, only professionals should handle the system.
- Host Protected Area (HPA) hard drives contain information not found in the file and operating system.
- Device Configuration Overlay (DCO) hard drives also contain hidden areas.
- Solid State Drive (SSD) memory cards function similarly to a USB stick.
Mail Databases – Evidence Preservation
Mail databases house abundant evidence, making them highly fruitful for cyber forensics.
To analyze digital evidence effectively, pieces of evidence must be processed correctly to maintain their validity in court. As the majority of communication for many employees within a company occurs through email folders, mail databases serve as a “archive” for cyber forensic experts, with the extracted data being a central location for evidence preservation. Not everyone is aware that mail databases hide many pieces of information and data that are no longer or only partially physically present on a company’s computers.
In a forensic examination by Tems Security:
- Evidence is expertly secured through a physical and logical mapping of the system.
- Relevant objects of the email client are examined, such as sent items, inbox, archive, deleted items, addresses, headers, etc.
- Email servers themselves, along with related logs, email data, backups, disaster recovery data, and the email gateway, are also analyzed.
As computer forensic experts, we proceed systematically, analytically, and, at times, detective-like. This means that conclusions can only be drawn from the secured data body or data can be saved through file carving once it’s established what the case is.
ERP Systems – Evidence Preservation
With Tems Security’s ERP systems, find, manage, and control relevant information in your company.
Modern companies are highly complex nowadays. For this reason, top managers are supported by computer-based ERP systems. In detail, Enterprise Resource Planning refers to the entrepreneurial task of planning, controlling, and managing personnel, resources, capital, operating resources, material, as well as information and communication technology in line with the company’s purpose in a timely and demand-oriented manner. However, everything essentially boils down to one question: How do I get the relevant information from a system that I can search for precisely?
Since ERP systems involve structured data, specialized analysis tools are needed when necessary. These tools are supplied by commercial providers, and we would be happy to advise you on their implementation for your specific needs. However, Tems Security can also develop custom tools tailored to your company. With this Predictive Coding, as it’s called, we search for various patterns and filter precisely the information that gives us clues to the relevant data you are seeking and need.