What Is Computer Forensics?
The term computer forensics refers to a refined combination of technology and art. A computer forensic expert uses the existing data on electronic systems to roll back time and paint a coherent picture of what the system was used for yesterday, last week, last month or last year. Their role is to discover what critical information was moved, copied, deleted or compromised, while preserving the integrity of the evidence.
Experienced computer forensic experts, using proven techniques and sophisticated tools, can retrieve and analyze all data on a system to the fullest extent possible. This includes e-mail and deleted files as well as logs and other information that may be relevant to the issues being investigated.
Why conduct a Computer Forensics Examination?
Law Enforcement is not the only employer of forensics. Many people use this service to confirm their suspicions and reveal suspicious files such as illegal photos and or documents on a computer. Forensics can also show what web pages kids, spouses, and / or employees have visited and when they have done so. Recover deleted files, email correspondences, and more. Discover the history of any suspect computer system. We use the exact same methods and software in our examinations as most other companies in the computer forensics field.
• Proof that something exists or does not exist on a drive.
• Proof that something was deleted when it should not have been.
• Proof that something was or was not sent, received, or copied.
• Proof of when something happened or did not happen at a certain time.
• Creation of a timeline of user activity to show patterns of activity.
• Retrieval of deleted data.
• Retrieval of data that was never even saved locally, such as chats or webmail.
A Summary of What We Do:
Protect the suspect computer system during the forensic examination from any possible alteration, damage, data corruption, or virus introduction.
• Discover all files on the suspect drive. This includes existing normal files, hidden files, password-protected files, deleted yet remaining files, and encrypted files.
• Recover all discovered deleted files.
• Reveal the contents of hidden files as well as temporary or swap files used by both the operating system and the application programs.
• Access the contents of protected or encrypted files.
• Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes but is not limited to what is called 'unallocated' space on a disk, as well as 'slack' space in a file.
• Print out an overall analysis of the suspect computer system, as well as a listing of all possibly relevant files and discovered file data. Further, uncover attempts to hide, delete, protect, encrypt information, and anything else that has been discovered and appears to be relevant to the overall computer system examination.
We conduct investigations in strict accordance with all computer forensic procedures outlined by the Department of Justice (DOJ) and IASIS® to ensure the integrity, accuracy and validity of any evidence obtained. The significance of trace material as associative evidence relies on proper detection, collection, and preservation.
Our computer forensic process is based on the following model:
1. Plan
Any successful computer forensics investigation begins with a plan. The ability to build and follow targeted workflow guidelines which save time, increase the amount of relevant data, and produce the highest quality results is essential. Our team can work with staff investigators and security personnel to identify and target sources of evidence, gain an understanding of the case, and apply the proper procedures.
2. Acquire:
The process ranges from complete computer forensic disk imaging to gathering information from sources (such as servers) in a manner consistent with the Best Practices of the Computer Forensic Guidelines. This ensures the proper chain of custody and admissibility in court.
3. Extract:
Our certified investigators have years of experience in electronic data recovery and acquisition. The ability to go beyond the capabilities of computer forensic software tools while maintaining computer forensic soundness is critical to making a case. Our keen understanding of where to look in complex corporate networks, along with our ability to work as unobtrusively as possible, sets us apart from others. We are experienced in extracting electronic data from desktop and laptop PCs as well as complicated mail and financial systems.
4. Analyze:
Even the smallest hard disk drives contain tens of thousands of files. We use advanced techniques and tools to isolate only the most relevant electronic data. We deliver results of the highest relevance, and we handle the investigation in the shortest possible amount of time. Having a deep understanding of the underlying technologies makes finding "the smoking gun" - in the least likely places - our specialty.
5. Report:
Once the analysis is complete, presenting an understandable, defendable, and complete report is key. Our clients find the evidentiary packages are easy to understand and extremely precise. The addition of relationship charts, entity explanations, timelines, histories, and mail thread analysis gives our clients a clear comprehension of the issue and the players involved. The ability to defend the process and testify to the methodologies used makes our experts unrivaled in the field of computer forensics.