OVERVIEW

Computer forensics is the discovery of computer-related evidence and data. This is not the same as "data recovery" such as restoring deleted files or copying files from a backup device, or, using the computer to look at directories, the browser to search for images, documents and other types of files. If you are seeking these services the "Geek Squad" can likely fulfill your needs.
We also interrogate devices such as cell phones, PDA's, digital cameras and other storage devices to extract data for analysis.

Computer forensics is both an art and a science. Software and hardware tools provide the conduit for a data forensics expert to extract and analyze data. We have invested in the same, powerful software and hardware tools the FBI and other law enforcement agencies use in their criminal cases and thus we are well equipped to provide our clients with state of the art analysis and solid, factual opinions.

FCS has over thirty years of experience in the computer, security and management fields. We use specialized forensic computer software specifically designed to search, validate and report on evidence and data. Our in-lab analysis work is done in a secure facility to protect the privacy of our clients. All work is carefully documented for use in trial litigation. The acquisition and search methods used have been proven in both trial and appellate courts.

In computer forensics there is no 'typical case'. Although the needs of our clients may be similar in nature each one has unique requirements. What is consistent are the procedures we follow from our initial contact with you through our delivery of the results.

CONFIDENTIALITY
All information exchanged between you and FCS is treated with complete confidentiality and respect. All computer data provided to FCS and any other physical media is locked in a protected area accessible only by FCS staff. After our work has been completed you may request that we hold and store all media and work product, return it to you or destroy it. Any items you order destroyed and both logically and physically altered beyond restoration.

The computers, networks and systems used by FCS are not connected to the Internet or any other public network thus we are not a target for hackers, worms and viruses common to the Internet, corporate or other public networks.
If the data you provide us has worms, trojans or other software of this type it will not affect any investigation or impair the use of our systems in any way.

UNCOVERING EVIDENCE
When a computer is used, multiple files (unknown to the computer user and not accessible to the average user) are being created, changed and stored. Fragments of E-Mail, word processing, databases, Internet history, picture images and much more often remain behind as evidence even after the program is closed or files are deleted. This hidden or deleted data can often times be recovered and exposed by FCS.

If you do not have the passwords to the Email, spreadsheets, databases and other data you want us to search you may request that we crack them in order to access the data.
In situations where the physical disc(s) have errors or appear damaged or unusable we can often times recover all or part of the data.

TIME IS CRITICAL
It is important to begin any computer related investigation immediately. When data is stored in a computer it is placed in what we call "free space". The free space is the same portion of the disc where deleted data (which may contain evidence) may also be recovered. The new data can overwrite the deleted data which may result in evidence never found.
In ongoing investigations, multiple acquisitions of computer data may be desired. FCS can assist you in performing this without the knowledge of the user to continue building your case over a period of time.

THE FILING CABINET APPROACH
Investigations typically start when a person, business or law enforcement has a suspicion about one or two items. In the tangible world, a spouse, company manager or detective might only take items specific to what they are looking for now. Later, as the case unfolds and opens into new avenues, they realize other files should have initially been taken out of that filing cabinet in the beginning. Many times you can't obtain this evidence because the contents of the filing cabinet have now changed or been removed.

In the computer world, the data stored on the disc itself is intangible, however, the disc drive(s) are tangible. Our approach is to initially "take the whole filing cabinet" as unwanted data can be excluded in our discovery. If additional searches need to be performed at a later date we already have entire 'filing cabinet' to pull the evidence from without wondering if someone permanently altered or deleted data in the computer at a later date.

EVIDENCE TAINTING
Accusations of evidence tainting are not rare in cases involving computer data when the party who owns or acquires the computer data also analyzes it. Issues such as accessibility to the data by other parties, experience and credentials of the person who acquired and reviewed the data, as well as other questions along these lines are typical.
For the above reasons it's not advisable for a spouse, employer, employee, friend, etc. to perform the function of acquiring and reporting evidence that has any chance of being litigated by any party.
Professional, third-party companies like FCS are experienced in this type of work and considered neutral and unbiased. Evidence obtained and submitted by professionals like FCS is likely to carry much more weight in front of opposing counsel, corporate management, a jury or any other party.

THE PROCESS

FCS uses a four phase approach. Phase I consists of access to the subject computer. Clients also have the option of removing the hard disc(s) themselves or using a local, qualified technician to perform this task. In this case we can typically ship your disc(s) back within twenty four hours.
For critical and time sensitive cases clients may request FCS to come on-site and acquire the data directly. On-site service is available in the U.S. and Canada.


Phase II and Phase III consists of acquiring an exact image of the entire disc(s). The disc(s) are accessed using a special program which locks the disc drive so no contents can be altered.
The process creates the image copy on our evidence disc array so the subject data can be verified and analized.
To ensure there are no errors or alterations, a disc "hash value" is computed for each disc and then compared to the original media. The hash value is a DNA fingerprint representing the contents of the source disc at the date and time it was acquired.
This value is shown on all reports as proof that no one altered any data acquired.

Phase IV is the analysis and reporting phase. The analysis is based on search parameters you provide us. Once you have told us what you are looking for we will start the analysis process. This can take from several hours to several days depending on the complexity of the parameters and the size of the data to be searched. Note that you are not billed for 'machine time'. Machine time is hours used by our systems to run programs without the need of a professional to monitor the system. Many of our competitors bill you for both machine and staff time.
Reports are produced both in hardcopy and on CDROM or DVD. In cases where opposing counsel or the Court requests copies of the acquired data, that information can also be provided on CDROM of DVD.

FCS is prepared to testify on all information contained in the final report and the methods used to acquire and process the evidence.

COST CONSIDERATIONS
If you are thinking about performing this type of work yourself or using your corporate IT department or local computer technician, consider the internal dollar cost and possibility of your evidence being tossed out because of the method in which it was acquired, the qualifications of those who worked on it, or, personal and business associations your friends or staff might have with the subject.
The internal cost is not only the time you or other people spend performing this work but also the time spent in possible depositions, staff moral issues, other internal issues, gossip spreading and loss of work productivity. All these may occur and can affect you, your business and most importantly: the outcome of your case or situation.
Often times the cost to use professional, third-party firms like FCS far outweigh the internal costs both in dollars and in winning your case.