 Corporations
and law firms that try to do their own computer investigations usually
end up feeling like they are burning the job candle at both ends, and
they still don't have the answers they need. This is because they have
stepped outside of their own field of expertise, and into a field of computer
science they do not have expertise in.
A preliminary computer forensic investigation
involves examinations of all pertinent materials, not just the computer
or hard drive to focus the direction of an examination. We can then determine
whether we need to conduct a level one or a level two examination of the
computer and hard drive.
In a level one examination, an image is
made of the suspect hard drive and the resulting image file is thoroughly
examined for evidence pertaining to the case. We use a variety of software
approaches to accomplish this. One reason for this is to find every piece
of data available for your case. Another reason is for verification. If
a computer forensic case goes to court or disposition, the ability to
state that we were able to duplicate our results using different methods
is frequently the factor to win a case.
Some of the examination methods include the following:
- High-level, court approved examination software to find
all existing and most deleted files.
- Physical examination of supposedly empty hard drive areas
known generically as "slack space."
- Physical examination of hidden and undocumented file
space that is normally empty, but used by skilled criminals to hide
data.
- Examination of any network log files available to verify
Internet or Network activity.
While there are no typical cases, it is usually
not possible to perform a professional level exam which will hold up in
court in less than 20 hours. If you are facing a deadline, please keep
this in mind.
Call (360) 651-2391 and ask for Steve to discuss how Precise
Cyber Forensics can help you with your current data examination or recovery
needs.
 In
a level two examination, every aspect of a level one
exam is accomplished, as well as duplicating the hard drive to the exact
same model, and visually examining certain aspects of the operating system
that can not be done with just an image file. This method can yield some
very important information about Internet activity that cannot be obtained
with a level one examination. One of the reasons for this level of examination
is to get a better impression of the human element that has been at the
suspect computer.
The level two examination absolutely requires the
exact same model of hard drive as the suspect's drive. This requirement
will definitely add time and cost to the examination. Part of the extra
time is for the client to obtain and provide us with the correct hard
drive. Part of the extra time is the visual examination of the Operating
System visual environment for additional evidence.
There are times when this visual examination of an Operating
System and Browser environment confirms the suspected Internet activity
of the suspect drive, that is no more than a suspicion with a level one
examination.
Call (360) 651-2391 and ask for Steve to discuss how Precise
Cyber Forensics can help you with your current data examination or recovery
needs.
|
