Cyber forensics is a complex field. Many IT professionals incorrectly assume a forensic engagement simply involves searching through logs and other files to find signs of “interesting” or “unusual” behavior. But the true nature of cyber forensics is much more complicated.
Companies generally request forensic support when wrong doing is suspected. In many cases, if evidence is uncovered that points to inappropriate or illegal behavior, the requesting party will most likely want to take legal action. That could include termination of an employee or possibly suing for damages or even seeking criminal charges if the incident warrants.
Because of the potential for legal involvement, the forensic analyst must be highly trained. A forensic investigation must be performed in an ethical manner strictly adhering to industry best practices, ensuring evidence will be permissible in a court of law. Commonly accepted tools must be employed, or else the analyst risks having a law suit dismissed due to improper evidence handling, or worse, discredited in court by an expert witness.
The necessary practices and procedures are akin to law enforcement techniques, requiring analysts to track chain of custody and preserve the original evidence as it was first encountered. This also requires the analyst to make a complete duplicate of any device or data source in its entirety, using specialized hardware tools to prevent modification while making the copy. To a well meaning but uninformed support specialist unaware of these requirements, the very act of booting a laptop or powering on a mobile phone or tablet changes the device, potentially invalidating any evidence collected or worse, overwriting hidden or deleted data that might have been recoverable.
For this reason, a forensic investigation is best left up to the professionals. Be sure to utilize a chain of custody form when devices are seized or assets are returned. Make sure all devices remain powered off. And secure the devices until they can be handed over to the forensic team to properly begin their investigation. If in doubt, ask for guidance before acting to ensure any actions will not hinder the investigation.