|
Above Board Computer Forensic Procedures
Step 1.
Preserve the evidence!
Even if you don’t think
you’ll need it, this is not a risk worth taking. It is very inexpensive to
hire an expert to preserve the evidence. The Above Board process is as
follows:
1.
We receive the
original media from you, label it and start the Chain of Custody documentation.
At no point in our process will the original media be modified in any way.
We use specific hardware write protection devices that are designed and tested
to make sure they will not allow any changes on the drive.
2.
We generate a
hash value on the original media to provide a quantifiable measurement of
authenticity and integrity of the original media and the image we will create
later. This is essential to satisfy admissibility standards of the Federal
and State Rules of Evidence.
3.
We create an
image of the original media and if you choose, return the image to you so the
original computer can still be used. Once you get the image back, if you
want to just “See what’s on the drive” you can do so without damaging any
evidence. Keep in mind that your findings will still not be admissible in
court, but if it’s on the image you have, it’ll be on the original as well.
4.
We create another
image of the original media and generate a hash value on it to make sure it is
exactly the same as the original. This is the media that will be analyzed
later if needed. It also is extra assurance against a hardware failure of
the original media between the time the evidence is gathered and the case is
brought into court.
5.
We label the
image, update the chain of custody documents, log the original and the image it
into our safe and store it until it is needed.
Important note!
None of the other Steps matter if you don’t do Step 1 before the drive is
tampered with.
Step 2.
Analyze the media.
Once you decide you need to
know what is on the drive that you preserved in Step 2, you let us know what you
are looking for. We will use the latest tools and techniques to examine
the media to recover documents, images, emails and other files even if they have
been deleted or if the file has been formatted previously. We will keep
you apprised of our findings and determine the depth of research that needs to
be made together.
Step 3.
Prepare the final report.
Once the analysis is
finished, we will generate a confidential report including details on the
procedures followed as well as all of our findings during the analysis.
Our computer forensics practice approach to computer
forensics is very binary... the data is there or it’s not and never has been.
We are not looking to determine guilt or innocence, only the presence or
absence of data in the the context that the data has been presented and created
in to determine the answers to as many of these questions as possible:
1.
What is on the
drive?
2.
When was it
created, accessed, modified and/or printed?
3.
Where is the data
stored on the drive? Specifically was it recovered from free-space, normal
disk space, temporary space, etc. and more specifically what physical sector was
it stored on
4.
How was it
stored? In other words, the application type and file type, hidden, encrypted,
password protected, etc.
5.
Who put it there?
Any user information contained on the system and any corroborating evidence to
prove that the user identified in the file is the person associated with that
username. (We have to watch for things like users that forget to logout
and/or share their passwords.)
We will also
explain the limitations of our findings and suggest other
ways you can confirm the user’s
access to the computer such as timesheets and or physical building access
reports that can further corroborate or refute the evidence.
In addition, we will report back to you any information we find about
extraordinary measures the user may have taken to make sure the data was
encrypted and/or eliminated from the drive.
Step 4.
Complete the chain of
custody docs, deliver an original report to the firm who hired us, store the
original and imaged media, any case notes, and the final report to the safe
until the case is cleared. Storage fees may apply depending on the volume
of space needed and length of time needed.
|
