Computer forensics investigation is the art of detecting, capturing, analyzing, and presenting evidence pertaining to incidents (First Responder's Procedure). Computer forensics is the application of multiple investigatory and analytic techniques for the purpose of presenting evidence in civil or criminal court. Evidence might be sought for a range of computer misuse, including but not limited to instrusions, identity theft, intellectual property theft or destruction, and misuse of state resources. Computer forensics enables the systematic and careful identification of evidence in computer related crime and abuse cases. This may range from tracing the tracks of a hacker through compromised systems, to tracing the originator of defamatory emails, to recovering signs of abuse and fraud. All discovered incidents require investigation.
UW Medicine Information Security Policy (SEC-10.0) requires forensic investigation into incidents. The purpose of this Incident Response and Investigation policy is to establish procedures for handling information security incidents. UW Medicine takes appropriate steps to ensure that information systems are properly protected from a internal and external threats.
The Security Program provides computer forensics investigative services to UW Medicine. Forensics investigations are comprised of image captures, forensics analysis, and forensics reports.
Image captures are the process of obtaining a legally sound copy of the system, hard drives, and peripheral devices under investigation. Image captures are to be executed only by trained forensics investigators and those working directly with them.
Image capture techniques include the following:
Forensic analysis is conducted by accredited forensics investigators using proven methodologies in forensic science, and are based on criteria provided by the requestor.
Forensics reports are created by the forensics investigator assigned to the case. The completed reports are submitted to the Compliance Officer assigned to the case. The requestor will receive the report from the Compliance Officer.