Computer Forensics


It is said that data is never completely erased from storage media. While this is not quite true, it can be difficult to removed data from a computer Hard Disk Drive ( HDD ) completely without special tools or software. As a result a wide variety of data can be recovered from the computer HDD. Not that long ago, the average size of a HDD was measured in megabytes (Roughty 1,000,000 bytes). Now storage is measured in gigabytes or terrabytes, which translates into billions and trillions of characters of data.

Computer forensics is performed in stages. These stages include:

Expert Consulting: We work with attorneys, corporations, and individuals worldwide to determine the needs of the computer forensics investigation. Working with the stake holders, we determine what type of evidence should be collected to yield the most information related to the case. We also take into account the stakeholder's objectives to determine timing, available evidence, and more to ensure we collect the appropriate evidence with the appropriate methods. During this consultation process, we identify all the locations where evidence may exist. This includes: computers, mobile devices such as cell phones and tablet devices, social media accounts, thumb drives (USB drives), CDs and DVDs, network routers and firewalls, GPS devices, cloud storage, security and camera systems as well as other types of devices that may contain Electronically Stored Information (ESI).

Evidence Collection: The next step is to collect the evidence. During evidence collection, forensically sound methods need to be applied to ensure the integrity of the data. Because data is easily destroyed, when the data arrives at the lab or is collected in the field, the first priority of the investigator is to preserve integrity of the evidence. Just turning on the machine and allowing the system to boot, will cause irreversable changes to the data. Hard Disk Drive and other storage media are Write Protected and a Forensic Image ( Also known as a Mirror Image, Bit by Bit Image or Forensic Hard Disk Drive Image ) is made of the media. When a Mirror Image is created, specialized equipment and tools are use to make the media essentially Read Only and prevent any alteration of the data stored on the media. During collection, in most cases, a digital fingerprint or hash is created which ensures that future copies of the evidence are identical and that the evidence examined does not change. Evidence collection may be done in the field or by sending the evidence to our lab.

Evidence Processing & Analysis: During this stage, we analyze the data using computer forensics industry standard methods, procedures and tools. We analyze what happened, when it happened, how it happened and who was involved. During this stage, we look for data which may be obfuscated or hidden. This may include compressed, encrypted or deleted data. We examine slack space and free space on the storage media to find deleted data. During this process, we paint a picture of what happened.

Expert Reports: After the analysis stage, it is normal and customary to create a written report. This computer forensics report will include the relevant information that applies to the case. Our reports are compiled and written in plain English. They are easily understood and may be presented in court. In general, they include information regarding the background of the case, the methodologies employed, the documents reviewed, the evidence reviewed as well as the facts retrieved from the evidence. Exhibits may be attached to the report and referenced to show the reading party what the evidence contained. Expert opinions may also be stated when the evidence doesn't speak for itself. Our reports are regularly used in settlement negotiations, plea negotiations and court hearings. Affidavits may be included to make the report sworn testimony.

Expert Witness Testimony: This is normally the final stage of our work. Whether in deposition, court hearings or trial, our experts are skilled at presenting complex digital information in plain English. Our expertise can be relied upon to explain complex digital evidence so the fact finders will understand. We can utilize exhibits and technology such as multi-media can enhance the experts testimony and make the evidence easy to understand for the Judge in a bench trial or the Jury. Our experts have testified in state as well as federal courts. In addition we have experience in mediation and arbitration cases. We also serve as special masters and have done so at state and federal levels.

Computers store data on Storage Media includes:

  • Hard Disk Drives
  • Floppy Disks
  • Backup tapes
  • CD Rom disks
  • E-prom and Memory chips
  • SD Cards
  • Thumb Drives
  • And More!

Common data retrieved from Storage Media:

  • Internet History files
  • What web sites have been visited.
  • What files were been downloaded.
  • Length of visit.
  • Records of files printed
  • Deleted documents
  • Evidence of erasure of data
  • Accounting system information
  • Hidden Files
  • Email
  • Instant Messages
  • Computer System Intrusions

And much more.


Copyright © 2003 - 2024 Evidence Solutions, Inc. All Rights Reserved.

Search