Show
Have a question that isn't on our FAQ? Contact Andrew Donofrio our Director of Cyber Security & Digital Forensics
What is “Computer Forensics?” Computer forensics is a specialized service that provides and documents digital evidence for
possible use in litigation. A computer forensic investigation is highly disciplined and the results can be repeated and proven to be accurate, which is crucial for any digital evidence to be admissible in court.
back to top What are the common situations in which Computer Forensics is used?
back to top What can a Computer Forensic examination provide?
back to top Can deleted emails be recovered? When emails are deleted from your Inbox there is still a chance that they reside on the server or in other areas of a computer. Computer forensic tools and methods allow for the data extraction and examination of email storage including information that had been previously deleted. back to top If someone uses a webmail account like Gmail, Yahoo or Hotmail, is it possible to find that email? back to top Can deleted files be recovered? back to top Can password protected files be accessed? back to top What is does the term “metadata” mean? back to top I think that a computer in my company may contain important evidence. What do I do? Most importantly, let’s begin with what you should NOT do: Do NOT use the computer or attempt to search for evidence, as any further use of the computer may damage and taint any evidence that might exist on the device. Do NOT turn it on. If the suspected computer is turned off - leave it off. A trained computer forensic investigator will use specific methods, tools and procedures to retrieve and preserve critical electronically stored information. By powering on the system you run the risk of changing the data on the computer forever and losing valuable evidence. If the computer is on, Do NOT initiate a normal “Shut Down” process and shut the computer off. If you must shut down the computer, unplug it from the back of the tower or the outlet. If a computer is on or running, it is important to collect the information about running programs or applications. When a computer is used or turned off, valuable information will be lost permanently. Also when a computer is turned off, it initiates a set of commands and actions that can change the contents of a hard drive. It is very important when investigating a powered on computer that has been compromised or contains evidence that a live computer forensic examination is performed, if possible Do NOT type on the keyboard or move the mouse. Do NOT allow the internal IT staff to conduct a preliminary investigation. Do NOT remove any USB Drives/Devices, SD cards, or other devices that are connected to the computer. But in addition, always be sure you DO complete the following: Do store the computer in a secure place, and/or, if possible secure the area in which the computer is located. Do keep a detailed log of
Do photograph the screen if computer is “on” and something is displayed on the monitor. Do contact MSA Investigations immediately. back to top I think that a cellphone in my company may contain important evidence. How should I handle it? If the device is “off”, do not turn it “on”. If the device is on, leave it on. Shutting down the device could enable password, thus preventing access to evidence and/or result in the loss of data evidence. Photograph device and screen display (if available). Label and collect all cables and transport with the device. Keep the device charged. If the device cannot be kept charged, analysis by a specialist must be completed prior to battery discharge or the data may be lost. Document all steps involved in the seizure of the device and its components. back to top What are the cons to NOT calling a
Computer Forensic expert immediately? It’s also true that the simple act of turning the computer on or looking through files can potentially damage the very data you’re seeking. The file creation dates can change, files can be overwritten, and evidence can be corrupted. But all of these risks can be lessened by contacting a Computer Forensics expert immediately, and acquiring an image of the computer as quickly as possible without destroying or altering any valuable evidence. back to top We have no plans to take anyone to court and merely want to make sure that an employee is not violating our company policy. Can’t we just have our in-house IT staff take a look? There are four main reasons why in-house IT is not the best choice for such a task:
In summary, an in-house IT staff may have a considerable amount of knowledge and experience with computers—perhaps even data recovery—it is highly unlikely that they have the requisite knowledge of the forensic protocols that must be observed to find all of the evidence, protect the data, and ensure the admissibility of evidence in civil or criminal trials. We take steps to safeguard the computer data, and we have the training, experience, and tools to conduct a thorough examination of computer data and interpret what we find. Additionally, if an employee is terminated as a result of the investigation, and litigation does ensue at a later date, you almost certainly will have the e-evidence necessary to support your case in court. back to top What if we have already
utilized our in-house IT staff and the recovery didn’t go as planned —can you still assist us? back to top How does Computer Forensics differ from data recovery? When digital media is imaged (an exact replica of the original), all files and folders are recovered along with deleted data. Also, the ability to view any hidden or un-partitioned space is gained as well. Computer Forensics is a service that is concerned with providing evidence (or proving a lack of evidence) regarding how a computer was used, what files were accessed and at what time, and who had accessed them. Computer Forensics investigators are able to find, assemble, analyze, and explain large amounts of digital information that would not be particularly helpful for data recovery services, but are invaluable in a court of law. back to top What types of data do you focus on in your investigations?
back to top How does the Certified Computer Forensics Investigators’ recovery process work? Next, the investigation discovers all files on the subject's system. In many cases, information gathered during a computer forensics investigation is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files (known by computer forensic practitioners as slack space). Special skills and tools are needed to obtain this type of information or evidence. Then, the investigation copies, protects and preserves the evidence from any possible alteration, damage, data corruption, or virus introduction that may render the evidence inadmissible in court. Then, the investigation recovers all deleted files and other data not yet overwritten. A deleted file will remain resident on a hard drive until the operating system overwrites all or some of the file. So in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten. Finally, the investigation includes an analysis of all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file. back to top What do I receive after a computer investigation?
Please note, the findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results. The examiner’s conclusions may be the most critical component of the final report. These conclusions based upon the examiner’s expertise and experience in the field of computer forensic technology often forms the basis for expert testimony in a court proceeding or for the filing of an affidavit. back to top What does a computer forensic examination cost? The cost includes the three basic components of the full investigation: Acquisition, Investigation, and Reporting. On their own, acquisitions usually cost approximately $750.00. Investigation and reporting, of course, depend on the nature of your case. back to top What is the first phase of investigation in digital forensics?The Digital Forensic Process
First, investigators find evidence on electronic devices and save the data to a safe drive. Then, they analyze and document the information. Once it's ready, they give the digital evidence to police to help solve a crime or present it in court to help convict a criminal.
How does a digital forensic analyst find data in files that may be lost?Forensics tools allow investigators to directly access memory chips removed from devices such as mobile phones, satellite navigation devices, car electronics, and USB flash drives. This technique can be used to recover data from devices that have been physically damaged or are password protected.
Which evidence source should be collected first when considering the order of volatility?In general, you should collect evidence starting with the most volatile and moving to the least volatile. For example, random access memory (RAM) is lost after powering down a computer.
What are the four steps of a digital forensics investigation?Digital forensics is the process of identifying, preserving, analyzing, and documenting digital evidence.
|