Corporate Incident Response
Below are our guidelines to corporate incident response regarding electronic evidence. Our procedures and guidelines arte based on The National Institute of Standards and Technology (NIST) publication; “Computer Security Incident Handling Guide”. This publication provides detailed procedures on implementing an incident response program.

DataInquiry approaches a corporate incident response in the following broad steps. Theses steps apply to Windows and other operating systems

1. Respond immediately with a minimum impact on the business and its processes. We can respond within hours of a suspected incident. In New Hampshire we have three people who can be on-site immediately.
2. Capture volatile system information. If possible it is important to capture data such as network connections, login sessions, open files and memory. This data is not available once the system is shut down and connections are lost.
3. Acquire the evidence without altering or damaging the original evidence. This is the drive evidence in question. We use write blocking tools and software to make forensic images of the drives.
4. Authenticate recovered evidence is identical to the originally seized data. As the data is acquired we do a “hash analysis”. The hash number uniquely identifies the contents of the drive and is statistically accurate to 3.4x1038.
5. Analyze the data without writing to or modifying the data. All our discovery is preformed against *.E01 files. E01 files are evidence files created from the suspect drive. These file are read only.

While each incident is unique, we have a standard methodology that each team member follows in responding to an investigation of electronic evidence. Our methodology is standard in law enforcement and has detailed procedures for securing the suspected computer at the incident location, powering off the computer, labeling evidence, and documenting the chain of custody.

Contact Us