Computer Forensics Consulting

Computer crimes are increasing exponentially each year, and we have found that our forensic investigation services now must include “computer forensics consulting” for preventative purposes, as well as for prosecution or litigation. When digitally encoded or stored information or evidence is collected, identified, examined and recorded in order to document an activity, we are conducting a computer forensic investigation. “Computer forensics consulting” is based on the same methodology of searching for, analyzing and documenting data, but with the additional goals of system improvement and protection.

Our computer forensics consulting services are recommended for the following applications:

  • security risk assessments
  • intellectual property protection
  • technical pretrial consulting and evidence evaluation
  • examination of potentially compromised systems
  • damage assessment and data recovery
  • recover deleted or lost files
Computer Forensic Investigation

If there is a ‘bug’ in your system, or you cannot explain an apparent information leak, a computer forensic investigation may reveal sabotage or the source of the leak. Some business intelligence professionals understand the wealth of valuable information stored in computer systems, and make it a practice to take what they can get … however they can get it. Spyware is a perfect example of a common business intelligence technique which is causing countless system problems and security breaches, especially for financial institutions.

During a computer forensic investigation, each computer is treated as a crime scene … because it has been the target or instrument of a crime. Our expert in computer forensics consulting will instruct our clients how to secure the scene to prevent corruption of evidence. By analyzing the server and terminal data, our expert will isolate and preserve the evidence which might reveal the methods and identities of individuals responsible for embezzlement, fraud, criminal or inappropriate conduct.

Click here to link with the US Secret Service for a review of their involvement in computer crime investigations.

Click here to view a recent report published by the Federal Trade Commission concerning the current spyware epidemic.

Extracting Hard Drive Data “Forensically”

Extracting data from a computer’s hard drive can reveal data that has long been deleted.  Below is an explanation of how data is forensically extracted and saved in our lab, not how data is saved on a hard drive or how the data changed during use of time.  For the data to be considered “forensic”, important steps are to be met.  For the data to be used in court it must uphold to strict scrutiny.

  • The extracted data must be an exact copy of the data on the hard drive.
  • The extracting software and hardware must not alter the data that is on the hard drive.
  • The extracting software must have the capability of reaching every bit of data on the hard drive.
  • The data that is extracted must be protected during transit from the hard drive to the data storage facility in our lab.
  • The extraction system must only allow data to transfer from the subject hard drive to our data storage facility and block any data from transferring from the data storage facility to the subject hard drive as this will change the hard drive and void the attempt at forensic extraction.
Why Is Extracting Data Forensically Important?

As soon as a non-forensically sound method for extracting data from a computer hard drive is used then there is no proof that the data extracted is an exact copy of the original.  This is especially important when the data is being used in the court of law.  If the data was extracted by software that does not protect the computer data during the extraction process then you can bet the opposing lawyer will argue that the data should not be allowed as evidence.  It is extremely important that dedicated forensic software be used to protect the data from being changed in transit from the hard drive to the data storage facility where the extracted data will be saved.

How Is Computer Data Blocked From Altering The Subject Hard Drive?

Blocking computer data from altering the subject hard drive requires using both software and hardware write blockers to give double redundancy against altering the data during a computer forensic extraction.  The hardware write blocker gives a physical data block which is virtually fool proof.  As a secondary measure, the forensics software should always have a software based write blocker to keep data from being altered during and after the extraction process while data is being searched.  This is extremely important as any alteration to the data on the subject hard drive during the search for specific data will cause the entire disc image to become non- forensic.

What Software Does All in Investigations’s Lab Use?

Our lab uses the leading computer forensic data extracting software from companies such as Cellebrite, FTK, AccessData, Tableau and many others.  The software/hardware we use is the same used by most domestic as well as foreign government agencies, police departments and forensic labs.  An agent of All in Investigations can provide more information upon request to potential clients.