Types of data often considered as critical evidence in litigation include:
- plain text and documents
- calendar files
- digital faxes
- video files
- audio files
- computer applications
- viruses and spyware
Computer Forensic Process
In the forensic process of computer forensics it is a common occurrence that original evidence is imaged (duplicated) for analysis purposes. Standard forensic principal is to maintain the complete and original integrity of the source evidence. At Computer Forensics Associates we are thoroughly trained and accustomed to such and uses the following techniques to ensure the complete protection of original evidence.
We can capture (acquire evidence) and collect data from virtually any location within the United States utilizing both on-site data acquisition and live data capture. If the data has been deleted, burned, flooded or physically damaged, forensic experts can recover the evidence so it can be analyzed.
Acquisition / Collection of Data
- We utilize Fast Bloc/Tableau hardware write block protection devices on all suspect drives prior to making any access attempts to the device. The write block device completely controls and blocks any and all instructions by the computer to write data to the drive.
- We maintain a strict Chain of Custody ensuring original evidence is properly and securely maintained while in our possession.
- We utilize court certified and approved imaging tools including Guidance Software’s Encase and Forensic ToolKit (FTK) Imager to perform a bit by bit (exact copy) of the device, which provides an MD5 Verification Hash to ensure integrity of the data.
- Our personnel are trained on exacting processes for acquisitions and are continually retrained as new technologies become available.
Analysis and Processing of Data for Evidence
- Court certified analysis tools including Guidance Software’s Encase and Access Data’s Forensic Toolkit (FTK) are utilized to ensure your evidence will stans up in court.
- You provide parameters such as a keyword list of important terms regarding the case so we know exactly what you are looking for.
- We retain a copy of the image and perform the investigation on an additional copy that has been MD5 Hash verified so that your original evidence remains pristine and unchanged.
Our Forensic Investigator’s first step will be to capture a Digital Forensic Image from the original device. This is accomplished by using Hardware Write Blockers and the latest Forensic Imaging software. Digital fingerprints are then assigned to the original electronic storage device and the newly created image.
Regardless of where the evidence is stored: Tape Backups, File Servers, Single Disk Drives, Mail Servers or Multiple disk drives. It doesn't matter; if the evidence exists we will find the “smoking gun”.
Once our Forensic Investigators have captured the forensic image, all data will be indexed and analyzed. Anything with two characters or more will be part of the data library. This includes data that may have been partially overwritten or deleted.
An investigation and evidence analysis is then performed using key date ranges, email addresses, keywords or phrases you specify. An investigation report will be generated and provided to you on the digital media of your choice. The report will have the look and feel of Windows Explorer and will automatically launch so you can read it.
Call today for a consultation: 866.237.0454