Key Steps to a Quality computer Forensic Investigations
....................................................................................................................................................................
Identification / computer Hardware Seizure:
In preparation for a computer forensic project, the primary step is to determine and identify the most likely sources of information. Whether it is of a personal or criminal nature, preparation is critical in preserving any and all evidence. Positive Control, the act of properly documenting and handling all potential evidentiary material (such as computer systems and hard drives), is key. We offer the ability to assist on-site to help identify and find other potential sources.
Non-invasive Acquisitions:
Hard drive acquisitioning is the technique of imaging, or copying, the entire contents of a hard drive to another hard drive. This could arguably be the most critical part of the forensic process. The imaging allows complete data transfer without modifying the original drive and forensically preserves all content, as well as date and time stamps. At this point, an exact duplicate has been created, thereby allowing us to perform a full recovery and forensic analysis.
Restoration:
After acquisitions, the hard drive is put through our standard series of protocols to recover and restore information. This provides us the ability of determining what currently exists on a drive, what has been deleted, as well as provide complete dates, times, contents, and other pertinent data relevant to the task at hand. Other areas, not normally privy to users, such as file slack and unallocated space (unused space) are also reviewed for information. Essentially every segment of the hard drive is exposed for restoration.
Searches:
There are many levels of searches that may be performed to keep confidentiality at bay. A shallow search can be performed where general information is gathered and presented for further review or an in-depth search can be performed where full data output is provided. As mentioned previously, all areas of the hard drive are exposed for searches. Searches may be as simple as finding a lost or deleted document or as detailed as finding specific text or information somewhere on the hard drive. Time span searches may also be performed for key dates.
Review and Production:
Along with verbal updates, reports and recovered data can be presented in any combination of styles and mediums including, but not limited to, CD-ROM, DVD, Zip disks, memory cards, hardcopy, as well as additional hard drives. Software will also be recommended and provided where it will facilitate the review process. If required, we may also assist in conducting the necessary reviews under your direction.
|