What is Forensics?

Computer or digital forensics science deals with the preservation, identification, extraction, and documentation of computer evidence. Computer media examined during an investigation could at some point be required as legal evidence in a civil or criminal court. Therefore, the manner in which the data is acquired, authenticated, and analyzed becomes critical. Traditionally, this media came in the form of disks including floppies, CDs, DVDs, and hard drives. More recently, there has been an explosion in smaller, more portable, removable forms of flash memory such as PC Cards, USB memory, and others. 

Understanding how data is accessed and stored is also important as it can help you recover evidence that someone has tried to hide, erase, or destroy. The US Secret Service has guidelines on the collection and storage of electronic evidence.  If evidence is to be used in the courtroom, there should not be an argument to its validity. Computer forensic investigators need to take extra care in making sure the data is not changed or altered while in their possession. This is one reason a forensic investigator works with copies of the original data. Steps must be taken to validate any copy and insure the original remains unchanged. Checksum programs aid in this process. 

How do trained computer forensic investigators make copies of evidence? Some computer forensic investigators use programs such as EnCase, Ghost, FTK, or SafeBack to copy data or build case data. 

Disk copy programs can work in two different methods. Information can be copied by file or by bit level. These methods are also referred to as logical or physical copying. Bit level (physical) copies is the standard to with computer forensic investigators operate. It is the standard as each sector and track of information is reproduced. Information is in the exact same position and location on the copied disk as it is on the original. 

Forensic Consulting Services

Superior Solutions, Inc. follows industry standard forensic recovery procedures. Our examiners are certified in leading forensic procedures. They follow industry standards when working to acquire, authenticate, and analyze digital data.

ACQUISITION

Most individuals are unaware how computer data is stored; therefore, our examiners can typically acquire information that will reveal what a computer was used for, when it was used, and what the user did on the Internet or corporate network. Typically, we can recover much of what the user wrote, read, or viewed.

AUTHENTICATION

The first rule of computer forensic evidence analysis is that the evidence must be authenticated. The search for evidence on a computer should only be done by a trained and experienced computer forensic examiner. Unauthenticated evidence cannot be used in civil or criminal court. Proper chain-of-evidence requires the examiner to document all work, make a mirror image, and perform an analysis on the copy.

PRESERVATION AND ANALYSIS SERVICES

We can perform a system analysis to quickly investigate and determine if any compromises have been made to your systems as the result of an incident. We can also provide the following types of analysis services:

1. Incident response

2. Password recovery

3. Keyword search and data analysis

4. Document and data financial extraction

5. Recovery of accidental or intentionally deleted data

6. Bit-level image copy of hard drives, magnetic media, or CD/DVDs 

HOW DO I LEARN MORE?

Our representatives are standing by to offer a free complementary consultation. Feel free to contact us at TheSolutionFirm.