Skip navigation

Computer Forensics

We've developed a highly exhaustive consultative approach to computer forensic analysis in order to help you recover, convert, review and present the findings of a forensic investigation. Our highly skilled consultants provide forensic services to law firms, legal departments of corporations, law enforcement and government agencies. And with offices across the country in New York, NY, San Diego, California, Graham, Texas and Atlanta, Georgia, eMag can give offer a timely response to your immediate needs.

Computer forensics is a much different process than data recovery. Where data recovery is the reconstruction of digital information that was deleted by a user or seemingly lost by a mechanical or software failure, computer forensics is the legally accepted practice of preserving and analyzing pertinent digital information. The goal of computer forensics is that the data recovered is valid and the original data is not changed so that it can be used as evidence in a court of law.

Computer Forensic Capabilities

Retrieval of Deleted E-Mails, Hidden Files and Documents

  • E-mails can be saved on a computer simply by viewing them.
  • This data can reside on a computer for up to several years.
  • E-mails might be fragmented and need to be reconstructed depending on the activity on the computer, size of the hard drive, and other factors.
  • Retrieval is possible with deleted files.
  • Hidden files can be retrieved (renaming, password protecting, encryption, steganography, compression, etc).

A trained forensic examiner can retrieve files that are deleted, disguised, hidden or encrypted (up to 128-bit encryption) - far beyond a normal examination of data.

Examination of Internet Activity

Viewing web pages on the Internet will often leave "virtual footprints" behind that allow forensic experts to determine what web sites were viewed, at what time and what the documents contained. A computer expert can analyze an employee's computer to determine if they have been conducting activity that should not be occurring in a work environment. Web surfing and secondary e-mail accounts (Hotmail, Yahoo!) can all be analyzed to determine what Internet activity is occurring on the work computer.

Computer Usage History

  • Details of what programs the user has accessed
  • Timeline analysis (log file) to show what the user did an when it occurred
  • Identification of user activity by accounts (e-mail and Windows user accounts) and what files were accessed when
  • Determine if there has been any malicious software placed on a computer (such as a key logger) spy-ware, wiper programs to hide evidence or even programs that allow remote access to the computer

Steps to Successful Computer Forensic Examination

Forensic specialists have a major responsibility to their client to take great care in extracting and consolidating all of the data that could potentially become evidence in a case. Basically this becomes an investigation of digital evidence and the road leading to possible litigation. The steps our experts take to lead to success for a client include:

Data Preservation

Due to the volatile nature of electronic data and the potential for spoliation, our forensic experts will assist with advice on preserving data before the investigation begins. And during the examination, eMag's state of the art forensic tools and processes ensure the examination will be done without compromising the integrity of the data (potential evidence).

In many cases the type of operating system will be a key in making important decisions concerning the preservation of the data. It is important to understand that when any device (PC, laptop, etc) starts, operates or suspends, data may be changed, modified or deleted. Before you turn a device on or off, contact us today.

Investigation

The initial response includes investigating what operating system is running, interviewing key users of an organization and determining the best approach to protect the data involved. The initial collection of important information is key to the success of a computer forensic examination. Data that may be involved in an investigation can come in all forms of media including PC's, laptops, cell phones, digital cameras, mainframes or servers, tape backups, Thumb drives, and PDA's. The method in which data is collected can be the most scrutinized aspect of a digital investigation.

Imaging

  • Imaging is a bit-by-bit replication of the original digital evidence.
  • Our forensic consultants use court approved methods and software to in order to capture a forensic image copy (MD5 Hash) of the hard drive.
  • Ensures output is fully admissable in court as evidence.
  • We are able to copy all forms of active storage media and backups (server, tape, etc) that could be potential evidence.
  • Using forensically sound tools we are able to in most cases to view deleted files, printed documents, internet related files and hidden directories.

Analysis

The analysis phase consists of the recovery and interpretation of the information that's been collected and authenticated. We are able to pinpoint a file's location on the disk, its creator, the date it was created, the date of last access, the date it was deleted, as well as file formatting, and notes embedded or hidden in a document.

We determine such information as

  • What files were deleted from the computer
  • Which applications were installed/uninstalled
  • Which websites has the user visited
  • When the computer was last used
  • Was data copied off the computer
Why this information is useful
  • To create a timeline of events
  • To determine malicious intent
  • To determine violation of agreements
  • Much more
Where information is found
  • Active space - Storage area visible to the user of the computer
  • Slack space - Storage area that contains deleted data not yet overwritten by the operating system
  • Unallocated space - Storage area available to the operating system, but not presently being used by it

Expert Testimony

Our experts in computer forensics can reconstruct the computer usage based on forensic analysis of the data and systems. Our experts consult with litigants and testify on their behalf regarding electronic data history, a blueprint of what has happened. Because we use forensically sound and court approved methodologies we stand ready to defend our processes.

  1. The testimony is based upon sufficient facts or data.
  2. The testimony is the product of reliable principles and methods.
  3. The witness has applied the principles and methods reliably to the facts of the case.

Contact eMag today to get a computer forensic quote.


Call Me Now
Submit a request for an eMag rep to call you immediately.

Newsletter Signup
Sign up to our monthly newsletter.
Read latest newsletter.


Related Products

MM/PC

Related Services

eDiscovery

Related Articles

Implications of Windows Vista with BitLocker Encryption on the Forensic Process

Computer Forensic Investigations Require the Skills of Trained eDiscovery Specialists