During the one-week attachment here at the SARS (South African Revenue Service), i am extremely impressed by a visit at the Computer Forensics Laboratory. I am penning down my experiences below.

The highpoint for me during the attachment was a visit to the Computer Forensics Laboratory at the Large Business Center here at the SARS. The Computer Forensic Laboratory has five computer experts working who manage the entire operations for South Africa. Mr. Arvind Maharaj, a brilliant computer expert heads the laboratory. The high revenue tax-related cases which go to courts and possessing a detailed scrutiny of electronic evidence are referred to the Computer Forensic Laboratory.



The laboratory appeared to be small with only one big room and four small rooms but the discussion that followed consequently stumped us completely. We were shown the hugely powerful computers that the personnel here use for their operations. All the computers are custom-made, possessing 24 GB RAM, a 3.2 GHz quad core Intel processor and a hard disk of around 9 TB. We were then demonstrated a standard hardware device that is used for making an image of a seized hard disk or an external hard disk. The image that is made is a read-only image and hence nothing new can be over-written on these images as well as the viruses in the hard disk also do not infect the system on which the image data will be viewed. Arvind also told us that it is possible to retrieve the files which have been previously permanently deleted by the user. In fact, the current technology allows the retrieval of files which have been deleted upto seven levels e.g. if a hard disk has been formatted for six times, the data that existed on the hard disk initially could be retrieved. This was surely an eye-opener for us but others followed one after the other from Arvind in response to our questions to him.



A smart phone kit was then demonstrated to us which had around 100 different adaptors to charge a phone. It also contained a sleek device which is capable of taking a backup of all the data on the phone and the SIM cards (including data that has been deleted upto seven levels, as above) - contact details, call logs, SMS data, MMS data, photos, images, audio, video, e-mails.



Mr. Zeoline, a very enthusiastic member of the five-membered team then demonstrated us a software named FTKImager, which is used for analyzing the data in an image of a seized hard disk or an external memory. The files which have been deleted permanently could also be retrieved using this software. Additionally, those files whose file types have been intentionally modified to avoid being opened could also be easily opened in this software.



Mr. Arvind then showed us a skimmer, a device which can capture the details on a credit, debit or any other electronic card. He also said that this device is prone to a lot of misuse particularly by restaurant personnel who swipe the customers device on the device that they possess and also on this skimmer. The information stored in the skimmer device could later be retrieved by connecting it to a computer using a USB port and duplicate cards could be made.



All in all, it was a mind-boggling session. The immense knowledge and skills that Arvind and his team members possess was clearly evident in the way they responded to our bombardment of questions. The stipulated duration of the session was 30 minutes but the session continued for over an hour as a result. Finally, all of us were sent to the classroom as the next faculty was waiting.