Forensic Services

OIT provides forensic services to analyze systems and storage devices that are suspected of being either compromised or used in an illegal or inappropriate manner.

OIT uses an enterprise forensic tool that enables authorized individuals to remotely perform forensic activities on any Windows, Mac or Linux computer that has the agent installed. However, the CISO must approve any remote access before action may be taken. Capabilities include:

  • Creating forensic copies of the device’s storage devices
  • Detecting suspicious data in a computer’s memory, active registry and storage devices
  • Gathering network information, such as all of the IP addresses connected to that device, the ports to which they are connected, and the applications that are associated with those ports
  • Identifying the processes, including hidden processes, that are running on the device, and for each process:
    • what services are being used by those processes;
    • what applications are associated with those processes; and
    • what user launched those processes.
  • Identifying the files that are open files and who is accessing them
  • For Windows, providing all the DLLs that are loaded

Please note that the gathering of evidence requires that the systems or storage device in question not be altered in any way either through a rebooting of the system, the installation of any software, or general exploration of the device.  If such a situation should arise, physically remove the system from the network and please request forensic assistance through the OIT Support and Operations Center Help Desk at 8-HELP or helpdesk@princeton.edu.