It is said that data is never completely erased from storage media. While this is not quite true, it can be difficult to remove data from a computer Hard Disk Drive (HDD) completely without special tools or software. As a result, a wide variety of data can be recovered from the computer HDD. Not that long ago, the average size of a HDD was measured in megabytes (Roughty 1,000,000 bytes). Now storage is measured in gigabytes or terrabytes, which translates into billions and trillions of characters of data.
Computer forensics is performed in stages. These stages include:
Expert Consulting: We work with attorneys, corporations, and individuals worldwide to determine the needs of the computer forensics investigation. Working with stakeholders, we determine what type of evidence should be collected to yield the most information related to the case. We also take into account the stakeholder's objectives to determine timing and available evidence to ensure we collect the appropriate evidence with the appropriate methods. During this consultation process, we identify all the locations where evidence may exist. This includes computers, mobile devices such as cell phones and tablet devices, social media accounts, thumb drives (USB drives), CDs and DVDs, network routers and firewalls, GPS devices, cloud storage, security and camera systems as well as other types of devices that may contain Electronically Stored Information (ESI).
Evidence Collection: The next step is to collect the evidence. During evidence collection, forensically sound methods need to be applied to ensure the integrity of the data. Because data is easily destroyed, when the data arrives at the lab or is collected in the field, the first priority of the investigator is to preserve the integrity of the evidence. Just turning on the machine and allowing the system to boot can cause irreversible changes to the data. Hard Disk Drive and other storage media are Write Protected, and a Forensic Image (Also known as a Mirror Image, Bit by Bit Image, or Forensic Hard Disk Drive Image) is made of the media. When a Mirror Image is created, specialized equipment and tools are used to essentially make the media Read Only and prevent any alteration of the data stored. During collection, in most cases, a digital fingerprint or hash is created which ensures that future copies of the evidence are identical and that the evidence examined does not change. Evidence collection may be done in the field or by sending the evidence to our lab.
Evidence Processing & Analysis: During this stage, we analyze the data using industry-standard computer forensics methods, procedures, and tools. We analyze what happened, when it happened, how it happened, and who was involved. During this stage, we look for data that may be obfuscated or hidden. This may include compressed, encrypted, or deleted data. We examine slack space and free space on the storage media to find deleted data. As we complete this process we paint a picture of what happened.
Expert Reports: After the analysis stage, it is normal and customary to create a written report. This computer forensics report will include the relevant information that applies to the case. Our reports are compiled and written in plain English. They are easily understood and may be presented in court. In general, they include information regarding the background of the case, the methodologies employed, the documents reviewed, the evidence reviewed, as well as the facts retrieved from the evidence. Exhibits may be attached to the report and referenced to show the reading party what the evidence contained. Expert opinions may also be stated when the evidence doesn't speak for itself. Our reports are regularly used in settlement negotiations, plea negotiations, and court hearings. Affidavits may be included to make the report sworn testimony.
Expert Witness Testimony: This is normally the final stage of our work. Whether in deposition, court hearings, or trial, our experts are skilled at presenting complex digital information in plain English. Our expertise can be relied upon to explain complex digital evidence so the fact finders will understand. We sometimes utilize exhibits and technology, such as multi-media, in order to enhance the expert testimony and make the evidence easy to understand for the Judge in a bench trial or the Jury. Our experts have testified in state as well as federal courts. In addition, we have experience in mediation and arbitration cases. We also serve as special masters and have done so at state and federal levels.
Computers store data on Storage Media including:
- Hard Disk Drives
- Floppy Disks
- Backup tapes
- CD Rom disks
- E-prom and Memory chips
- SD Cards
- Thumb Drives
- And More!
Common data retrieved from Storage Media:
- Internet History files
- What websites have been visited.
- What files were downloaded.
- Length of visit.
- Records of files printed
- Deleted documents
- Evidence of erasure of data
- Accounting system information
- Hidden Files
- Instant Messages
- Computer System Intrusions
And much more.
