Not all cases are created equal. Variables such as type of concern, number of computers, background of user, etc. can help determine the likelihood of locating useable evidence. Rather than making empty promises of guaranteed results, we try to make educated decisions which is just good business for you and us.
This is the act of acquiring forensic images or copies of suspect machines and devices. The forensic part is where an entire bit-for-bit or “bitstream” copy of evidence is captured regardless of the operating system (Windows, Mac, Linux, Unix). This can be done no matter the device: Desktop computer, laptop computer, server, cell phone, smartphone (iPhone, Android, Blackberry, Symbian), tablet (iPad, Samsung, etc.), raw hard drive, flash drive or backup tape, to name a few devices and mediums.
In some rare cases, it is not possible to take a proper forensic image (running server, damaged media, etc.), in which case we take what we refer to as an “evidentiary snapshot.” Another time this is appropriate is when the device remains in service, but a current state capture is desired in the event it is needed at a later date.
Backup Tape Restoration
This is applicable when no other evidence exists or as a way of “dipping a toe into the water” of gathering forensic data in an attempt to determine if further more intrusive data gathering is warranted. Sometimes all the data needed for an investigation is retrieved from a server backup tape. Other times, evidence is obtained from the tape as a way of disproving allegations without any further work or cost. Also, restoring email is useful when needed for litigation or in response to court ordered production. This can be done from a myriad of formats, current or out of date media (including obscure backup up tape formats!), SLDT, LTO, DLT, DDS, Travan, AIT, 4mm, 8mm, Iomega ZIP, JAZZ, and Onstream, to name a few.
Email Search Processing
Whether retrieved from a computer’s forensic image, an onsite copy of an exchange database, restored from tape or even given to us as an outlook PST file, we can index and return specific results based on keywords, specific time periods or just data types.
Meta Data File Analysis
Want to know who created that document or worked on it last? How about how long since it’s been edited or when it was printed last? Those are simple examples, but many file types besides Microsoft Office formats keep “data about data” such as that above. Sometimes getting to the data is less than straightforward and can reveal some interesting things that can be helpful in the course of a case.
Deleted File Recovery
It seems everyone knows that when you hit the delete key it doesn’t “really” delete, but there are a myriad of ways to retrieve deleted files once they’ve gone “beyond the recycle bin”! We employ programs, scripts and sometimes just some “out of the box” thinking when recovering data that was thought to have actually been long gone.
When a file is no longer available, carving can help either extract the information you need or piece together that lost file. Carving is just as it sounds, carving data out of either unrelated files or from a larger cache, such as a swap file, page file or hibernation file.
Keyword Searches for Evidence
Long a mainstay of forensics, searching for specific terms, names, or companies can prove helpful in retrieving evidence of theft or other malfeasance. Oftentimes, these searches do not solve the case by themselves, yet they lead to the uncovering of other data of importance.
Forensic Data Reporting
We provide end result reports for managers, human resource professionals, owners or for court purposes. While the data uncovered in the course of an investigation is all the same, we can tailor the reporting so that it provides the most impact to a specific need and audience.
Future Mitigation Strategies
Development of policies, procedure or education can help prevent future issues when it comes to people and data. Part of a defensible strategy is having a plan to protect; we can assist with all facets of this, particularly in the small to medium size business arena.
Logging can take place on or with operating systems, servers, programs, routers, switches or just about anything that may later need to have a log reviewed. Reviewing such logs can yield tangible information in and of itself, or can point to other sources of evidence.