Computer Forensics Expert Note: In the field of computer forensics,  The preserving and authentication phase is critical to ensure the admissibility of evidence, should that become necessary.    Perhaps, the most important consideration is that the original evidence must not change the during the acquisition process.  For this reason, the forensic examiner must use forensically sterile new media.  The examiner must also ensure that the forensic copy is an bit-by-bit copy.   To authenticate properly, the examiner must perform three hashes: First hash the original evidence.

Recently, we discussed the malware tracking algorithm.  Although this algorithm still has not been implemented to track real malware authors, it presents intriguing possibilities.  We had an opportunity to discuss this algorithm on NBC 12.  Here is the video.

We also have a separate blog post discussing some specifics of how the algorithm works.

...

This is the model used for assigning likelihood to a source.  The image on the left shows the method for locating a cellphone on network.  The method is based on signal travel time.  The image on the right shows two observers measuring the arrival time of information. The measurements are combined to generate a likelihood for each potential so...

Computer forensics or digital forensics refers to the collection of evidence from digital computers, laptops, smart phones, storage media (such as portable drives, SD cards, memory sticks, etc).  This collection process must be performed utilizing a sound methodology so that the evidence could be admissible in a legal setting.  Therefore, the e

...

Evidence contained in smartphones, such as iPhone, Android, iPad and others is often essential for civil or criminal cases. Text messages, e-mails, photos, and other similar evidence is often of extreme importance during criminal cases, divorce cases, employment cases, breach of contract, and many other matters.
At AVM Technology, we provide mobile device computer forensics expert services throughout Virginia and throughout the United States.

Computer forensics are often important in determining the extent of data theft.  Data theft not always comes in the form of a computer being attacked by a hacker in a far away location.  Data theft many times comes from within, from employees taking the company's data and selling it to competitors or taking it themselves so that they can start their own competing business.  In a recent case in Virginia, a company claimed certain damages for purposes of the Computer Fraud and Abuse Act (CFAA).

We have been made aware of a new wave of the pizza phishing scam.  The email informs you that you were apparentl very hungry and ordered some pizza.  Only, if you try to cancel this "mistaken" order, you get, free of charge, a side of malware for your computer.   The link goes through kontrollmedia.hu (only one of many domain names used, and begins a sequence of downloading malware to your computer.

These emails can be traced to various IP addresses, mostly associated with spam and various attacks. Some of these IP addresses include:

As discussed in our Pizza With a Side of Malware post, there are a large number of Internet schemes and scams trying to get legitimate users to click on certain links. Many believe that the creators of these scams are after private information stored in your computer. While rue, the scenario is a bit more complicated. They are also after your computer resources. When the "payload" contained in a file of Internet website is downloaded to your computer and the malicious software executes, they control (or own) your computer.

In our computer forensics and Information Security practice, we frequently encounter the need to examine Apple computers. Although tools, such as Encase and FTK can be effective in analyzing HFS+ systems (this is the Mac file system), the examiner has to take other steps. For example, things such as recovering deleted files and creating an image that can be effectively analyzed can be done very effectively by a computer forensics examiner who is familiar with Macs. Why is using a Mac important for examining other Macs? Is a FireWire acquisition useful to cost the imaging time?