METHODS
The process of investigating digital evidence must be performed in a forensically sound manner. Forensic Pursuit has the skills to properly collect, protect, analyze, and document computer evidence using only industry best practices and court-accepted techniques. All Forensic Pursuit analysts are certified Computer Forensic Investigators and are trained on all the latest tools and techniques.
Strategy
|
|
|
|
Forensic Pursuit will have a discussion with the client, in person or over the phone to determine the following: |
|
|
Who are the parties involved? |
|
|
What is the issue of concern? |
|
|
What specific hardware items are the subject of the investigation? |
|
|
Are there legal issues involved with extracting data from the media in question? |
Acquisition
|
|
|
|
|
All data must be acquired using sound forensic methods to ensure future court admissibility. |
|
|
Media must be separated from its host computer or other hardware prior to forensic copying. A target computer must never be powered up under any circumstances. Simply starting a computer permanently alters data on the hard drive. A typical Windows computer can write data into a thousand or more files just during its startup procedure. |
|
|
Digital images created by Forensic Pursuit are perfect bit-for-bit copies that legally sound. All images are verified using a unique mathematical value. |
|
|
Forensic collection can be performed at the client site or at Forensic Pursuit’s forensic laboratory. |
|
|
The original media will only be connected once, for the purpose of making this forensic copy, and will be connected using a write blocker to ensure the contents of the media are not changed in any way by the copy process. |
Extraction
|
|
|
|
|
|
|
|
|
|
Extraction of computer evidence will always be done from a forensic copy of the media. |
|
|
Extraction is actually done on a second copy of the media called the “working copy”. The original “forensic copy” is not analyzed directly and is only used to make future working copies. Of course, all copies are verified using a unique mathematical value before any analysis works begins. Our engineers will follow court-accepted forensic protocols, and us only court-accepted forensic tools for data extraction. |
|
|
Extracted data can include: |
|
o |
Deleted and Hidden Data |
|
o |
Password Protected Data |
|
o |
Intentionally Altered Data |
|
o |
Data From Reformatted or Repartitioned Hard Drives |
|
o |
Email Including Deleted Email |
|
o |
Data From Unallocated and Slack Space |
|
o |
Data Hiding in Swap Files |
|
o |
File Created, Modified, and Last Accessed Times |
|
o |
Web Sites Visited |
|
o |
Files Transferred or Downloaded |
Analysis
|
|
|
|
Computer forensic analysis is part art and part science. There is no easy answer to the question: “Where do you look for evidence?” Data must be thoroughly vetted, validated, and placed in context. Intent cannot be identified until the meaning of the data is truly understood. |
Reporting
|
|
|
|
After the analysis is complete, it is time to present the results. The goal of any evidence presentation is to persuade the audience using the evidence. Forensic Pursuit will provide to the client a detailed forensics report encompassing systems collected, chain of custody, search results, forensic parameters, and observations from the forensics engineer. We also include exhibits on CD-ROM for in-depth supporting data. |
|
