Investigative Process
PreliminaryThe goal of a preliminary computer forensic investigation is to quickly examine the hard drive media to either recover a specific known file or to determine what kind of data recovery is possible. Additionally, it will determine if potential evidence exists which warrants a more thorough Level 1 or Level 2 examination.
In a preliminary exam, the original hard drive or media is viewed, but not copied. A preliminary computer forensic exam is limited in its scope and would not be sufficient for court room admissibility. A preliminary computer forensic exam is appropriate when the contents of the media or hard drive are known and the client needs a recommendation on strategies for moving forward with the investigation.
A
level one standard computer forensic investigation
involves a detailed, methodical examination of the
hard drive or media. A bit by bit copy of the original
hard drive is created and then verified. For security
purposes, the level 1 computer forensic exam takes
place on the copy and the original is properly secured
for safekeeping. The examination may focus on one or several
aspects of the overall investigation.For example, the client may seek to uncover specific evidence, or to prove certain files do not exist. Evidence may be incriminating or exculpatory in nature. We are always completely impartial and will report to you any evidence we find. A typical standard computer forensic investigation may focus upon:
- Existing files
- Deleted files
- Extensive keyword or keyphrase searches
- Extensive searches for particular file or evidence types
- Internet browsing history
- Sites visited
- Graphics viewed
- Cookies stored on computer
- Files downloaded
- Web mails sent and received - Email evidence
- Outlook emails sent and received
- Outlook Express emails sent and received
- AOL mails sent and received
- Deleted emails
- Files sent and received
- Other mail applications used - Typical business applications such as Microsoft Office
- Files created in programs such as Word, Excel
- Deleted files
- Files sent and received
- Financial data generated by QuickBooks, Intuit or other financial applications - Pictures created by digital cameras
- File download applications (Kazaa, Morpheus, Napster, etc.)
We do not take shortcuts. The software and examination methodology we use have been validated by numerous trial and appellate court rulings. It takes many hours to properly examine a computer and create a defensible set of reports and documents that will stand up to legal scrutiny.
A
level 2 computer forensic investigation is extremely
comprehensive in nature. A level 2 exam is required
when the client is looking for difficult-to-find evidence
or is looking for specific exculpatory or incriminating
evidence. Often, the data recovered can be corroborated
with several pieces of evidence on the hard drive.A level 2 computer forensic investigation is required when:
- There are passwords that must be cracked
- Data has been encrypted or deliberately hidden
- There is an unusual hardware configuration
- The system to be examined is a legacy system (the computer is old)
- Elaborate cross-references need to be conducted to corroborate multiple pieces of data
- A comprehensive analysis must be performed to establish patterns of activity or behavior
Both Level 1 and 2 computer forensic investigations are designed to withstand scrutiny and cross-examination in a court of law.
Suspicious Computer?
STOP!
STOP!
1. Do not start the computer.
Simply turning on a computer can destroy crucial evidence or render
it inadmissable.
2. Secure the computer.
If the computer is not running, place it in a secured area
with controlled access.
3. Control Access.
If the computer is running, contact us and will advise you proper
procedure. Do not let anyone access the computer.
