OVERVIEW
Computer forensics is the discovery of computer-related evidence and data. We interrogate devices such as cell phones, PDA's, digital cameras, XBOX and other game consoles, servers, notebooks, workstations and any other hardware capable of storing data for later analysis.
This is not the same as "data recovery" such as restoring deleted files or copying files from a backup device, or, using the computer to look at directories, the browser to search for images, documents and other types of files.
If you are seeking these services the "Geek Squad" or a local computer technician can likely fulfill your needs, however, don't expect their work to be accepted in any court of law.
Computer forensics is
both an art and a science. Software and hardware tools provide the conduit
for our forensic experts to extract and analyze data. We have invested
in the same, powerful software and hardware tools the FBI, Homeland Security
and other law enforcement agencies use in their criminal cases and thus
we are well equipped to provide our clients with state of the art analysis
and solid, factual opinions.
FCS has over thirty years of experience in the computer, security and
management fields. We use specialized forensic computer software specifically
designed to search, validate and report on evidence and data. Our in-lab
analysis work is done in a secure facility to protect the privacy of our
clients. All work is carefully documented for use in trial litigation.
The acquisition and search methods used have been proven and upheld in
both trial and appellate courts.
Special circumstances apply to criminal cases involving contraband. Please review this information by clicking here.
CONFIDENTIALITY
All information exchanged between you and FCS is treated with complete
confidentiality and respect. All computer data provided to FCS and any
other physical media is locked in a protected area accessible only by
FCS staff. After our work has been completed you may request that we hold
and store all media and work product, return it to you or destroy it.
Any items you order destroyed and both logically and physically altered
beyond restoration.
The computers, networks and systems used by FCS are not connected to the
Internet or any other public network thus we are not a target for hackers,
worms and viruses common to the Internet, corporate or other public networks.
If the data you provide us has worms, trojans or other software of this
type it will not affect any investigation or impair the use of our systems
in any way.
UNCOVERING EVIDENCE
When a computer is used, multiple files (unknown to the computer user
and not accessible to the average user) are being created, changed and
stored. Fragments of E-Mail, word processing, databases, Internet history,
picture images. movies and much more remain behind as evidence even after
the program is closed or the files are deleted. This hidden or deleted
data can often times be recovered and exposed through computer forensics.
If you do not have the passwords to the Email, spreadsheets, databases
and other data you want us to search you may request that we crack them
in order to access the data.
In situations where the physical disc(s) have errors or appear damaged
or unusable we can often times recover all or part of the data.
TIME IS CRITICAL
It is important to begin any computer related investigation immediately.
When data is stored in a computer it is placed in what we call "free
space". The free space is the same portion of the disc where
deleted data (which may contain evidence) may also be recovered. The new
data can overwrite the deleted data which may result in evidence never
found.
In ongoing investigations, multiple acquisitions of computer data may
be desired. FCS can assist you in performing this without the knowledge
of the user to continue building your case over a period of time.
THE FILING CABINET APPROACH
Investigations typically start when a person, business or law enforcement
has a suspicion about unauthorized use of a computing device. In the tangible
world a spouse, company manager or detective might only take items specific
to what they are looking for right now. Later, as the case unfolds, they
realize other files should have initially been taken out of that filing
cabinet in the beginning. Many times you can't go back and obtain this
evidence because the contents of the filing cabinet have now changed,
removed or destroyed.
In the computer world, the data stored on the disc itself is intangible,
however, the storage media is tangible. Our approach is to initially "take
the whole filing cabinet" as unwanted data can be excluded in
our discovery. If additional search and analysis need to be performed
at a later date we already have entire 'filing cabinet' to pull the evidence
from without wondering if someone permanently altered or deleted data
at a later date.
EVIDENCE TAINTING
Accusations of evidence tainting are not rare in cases involving computer
data when the party who owns or acquires the computer data also analyzes
it. Issues such as accessibility to the data by other parties, experience
and credentials of the person who acquired and reviewed the data, as well
as other questions along these lines are typical.
For the above reasons it's not advisable for a spouse, employer, employee,
friend, etc. to perform the function of acquiring and reporting on evidence
that has any chance of being litigated.
Professional, third-party companies like FCS are experienced in this type
of work and considered neutral and unbiased. Evidence obtained and submitted
by experts like FCS are likely to carry much more weight in front of opposing
counsel, corporate management, a jury or any other party.
THE PROCESS
FCS uses a four phase approach. Phase I consists of access to the
subject computer. Clients also have the option of removing the hard disc(s)
themselves or using a local, qualified technician to perform this task.
In this case we can typically ship your disc(s) back within twenty four
hours.
For critical and time sensitive cases clients may request FCS to come
on-site and acquire the data directly. On-site service is available in
the U.S. and Canada.
In criminal cases governed by the Adam Walsh Act, FCS will travel to the
government controlled facility to perform a portion of it's anlaysis.
Phase II consists of connecting the storage media to an approved
"write blocker". A write blocker is certified to prevent any
type of data being written to the media; thus there is no chance of evidence
tainting by the examiner.
Phase III involves the use of one or more forensic computers designed
to search, process and analize data. Our lab forensic servers total 65Ghz
of processing power (your typical home computer is 2-3.5Ghz). Our expert
reviews results from the forensic programs and forms opinions and conclusions
from the data.
Phase IV is the production of relavent data. Such production is
available for review via the Internet using our secure web site. It may
also be produced on CDROM or DVD media, or in some cases it is produced
on removable hard drives. FCS will accomodate any special requests for
production when possible.
COST CONSIDERATIONS
If you are thinking about performing this type of work yourself or using
your corporate IT department or local computer technician, consider the
internal dollar cost and possibility of your evidence and findings being
tossed out because of the method in which it was acquired, the qualifications
of those who worked on it, or, personal and business associations your
friends or staff might have with the subject.
The internal cost is not only the time you or other people spend performing
this work but also the time spent in possible depositions, staff moral
issues, fall out from gossip spreading and loss of work productivity.
All these may occur and can affect you, your business and most importantly:
the outcome of your case or situation.
Often times the cost to use professional, third-party firms like FCS far
outweigh the internal costs both in dollars and in winning your case.
