Computer forensics is the analysis of data from a computer system or application in response to a security incident or computer misuse. The goal is to find evidence of what, when, and how an incident occurred, and who was involved. A computer forensic examination may be necessary when it is suspected that a computer system or application was used to commit a crime, or used for inappropriate activities which violated law or university policy.
Requesting a Computer Forensic Examination
- Restrict access to the suspect system or application; any change could result in damaging potential evidence.
- Complete and submit the Request for Forensic Examination in Service Now to the Information Security Office.
- The purpose of the form is to give the Information Security Office a background of the incident and specific information including; the users involved, severity of the incident, and the type of data you hope to obtain from the forensic examination.
- The Information Security Office will gain approval, or verify approval, from the Provost, Vice President, or the Office of the General Counsel.
- Once the Request for Forensic Examination has been made, a member of the Information Security Office will contact you to coordinate the evidence pickup. (An estimate on the time it will take to perform the investigation will be made, but it is mostly dependent on the quantity of data involved (number of systems) and the extent of the issue. Some investigations could take a few hours, while others may take weeks.
Steps of a Computer Forensic Examination
Once the suspected system has been received by the Information Security Office, these are the steps that will be performed by the examiner:
- Chain of custody documentation is created to track the evidence at all times. System will be held in a secure locker when not being examined.
- All electronic data is recovered from the hard drive and analyzed to find the information requested. Areas of concern or violations are noted.
- A full written report will be created and given to the requestor for further action. The system can then be returned as long as there is no threat to the network or computer user.