In contrast to computer forensics prescribed by order of an investigator as part of legal proceedings, forensic examinations may be initiated independently or conducted upon request of law enforcement agencies before a case is initiated.
Their findings may provide the basis for an internal investigation or, being documented as a formal Examination Report, be presented as evidence in civil, administrative and criminal cases.
Forensic examinations are especially useful:
– when investigating information security incidents
The examinations help to specify the chronology of an incident, its possible causes, including the degree of employee involvement, and obtain a wide range of data for further investigation (IP addresses, domain names, emails and messenger IDs belonging to criminals, etc.).
If the malicious programs are used during the incident, the Laboratory analysts record traces leading to criminals and provide useful data for the configuration of the security measures in their expert opinion.
– when investigating non-computer crimes
Forensic examinations can be used to record digital traces of financial, corporate crimes and even adultery. Criminals with little or no background in information security leave many more pieces of evidence than they think and therefore an opinion of the experienced forensic specialists from our Laboratory make a significant contribution to investigations of such cases.
– when responding to information security incidents
Detection, collection and retention of all the significant data on incidents are key response tasks that often exceed the abilities of in-house IT specialists, especially at the peak of stress. Mistakes made at this stage may make the evidence inadmissible in court.
The Laboratory specialists are equipped with mobile forensic systems for correct seizure and copying of information. They visit the incident location to provide the customers with flawless legal and technical support from the very beginning. We copy all the data needed for examination, seal the respective media and place them in safe custody and document all the needed procedures correctly.
Moreover, the participation of the Laboratory specialists in the response allows us to obtain preliminary estimates of incidents and legal aid to plan subsequent steps.
The forensic examination may include:
- searching for traces of unauthorized access;
- retrieval and analysis of correspondence;
- examination of mobile devices;
- examination of installed malware;
- searching tasks based on specified criteria;
- examination of databases;
- examination of skimming devices;
- examination of network traffic and RAM dumps;
- examination of contents of crypto-containers;
- comparison of software products to find plagiarism and much more.
Advantages of Group-IB forensic examinations
Accuracy and completeness of conclusions
The wide range of advanced equipment and software solutions allows us to extract the maximum useful information from objects under examination and our many years' experience of forensic examinations and participation in investigations of real crimes helps us to interpret the collected evidence accurately and comprehensively.
Legal significance of opinions
Opinions of the Laboratory specialists are documented in full accordance with the requirements of applicable laws and do not contain any procedural errors. It allows us to guarantee that they will be accepted by law enforcement agencies and courts as adequate evidence for civil, administrative and criminal proceedings.
Due to the broad competencies of Group-IB forensic specialists and advanced special equipment, all the examinations are conducted within time limits specified when materials are submitted for analysis.
- We have conducted more than 2000 examinations and about 500 of them have been conducted upon requests from law enforcement agencies