Computer forensics is the discovery of computer-related
evidence and data. This is not the same as "data recovery"
such as restoring deleted files or copying files from a backup device,
or, using the computer to look at directories, the browser to search for
images, documents and other types of files. If you are seeking these services
the "Geek Squad" can likely fulfill your needs.
We also interrogate devices such as cell phones, PDA's, digital cameras
and other storage devices to extract data for analysis.
Computer forensics is both an art and a science. Software and hardware
tools provide the conduit for a data forensics expert to extract and analyze
data. We have invested in the same, powerful software and hardware tools
the FBI and other law enforcement agencies use in their criminal cases
and thus we are well equipped to provide our clients with state of the
art analysis and solid, factual opinions.
FCS has over thirty years of experience in the computer, security and
management fields. We use specialized forensic computer software specifically
designed to search, validate and report on evidence and data. Our in-lab
analysis work is done in a secure facility to protect the privacy of our
clients. All work is carefully documented for use in trial litigation.
The acquisition and search methods used have been proven in both trial
and appellate courts.
In computer forensics there is no 'typical case'. Although the needs of
our clients may be similar in nature each one has unique requirements.
What is consistent are the procedures we follow from our initial contact
with you through our delivery of the results.
CONFIDENTIALITY
All information exchanged between you and FCS is treated with complete
confidentiality and respect. All computer data provided to FCS and any
other physical media is locked in a protected area accessible only by
FCS staff. After our work has been completed you may request that we hold
and store all media and work product, return it to you or destroy it.
Any items you order destroyed and both logically and physically altered
beyond restoration.
The computers, networks and systems used by FCS are not connected to the
Internet or any other public network thus we are not a target for hackers,
worms and viruses common to the Internet, corporate or other public networks.
If the data you provide us has worms, trojans or other software of this
type it will not affect any investigation or impair the use of our systems
in any way.
UNCOVERING EVIDENCE
When a computer is used, multiple files (unknown to the computer user
and not accessible to the average user) are being created, changed and
stored. Fragments of E-Mail, word processing, databases, Internet history,
picture images and much more often remain behind as evidence even after
the program is closed or files are deleted. This hidden or deleted data
can often times be recovered and exposed by FCS.
If you do not have the passwords to the Email, spreadsheets, databases
and other data you want us to search you may request that we crack them
in order to access the data.
In situations where the physical disc(s) have errors or appear damaged
or unusable we can often times recover all or part of the data.
TIME IS CRITICAL
It is important to begin any computer related investigation immediately.
When data is stored in a computer it is placed in what we call "free
space". The free space is the same portion of the disc where
deleted data (which may contain evidence) may also be recovered. The new
data can overwrite the deleted data which may result in evidence never
found.
In ongoing investigations, multiple acquisitions of computer data may
be desired. FCS can assist you in performing this without the knowledge
of the user to continue building your case over a period of time.
THE FILING CABINET APPROACH
Investigations typically start when a person, business or law enforcement
has a suspicion about one or two items. In the tangible world, a spouse,
company manager or detective might only take items specific to what they
are looking for now. Later, as the case unfolds and opens into new avenues,
they realize other files should have initially been taken out of that
filing cabinet in the beginning. Many times you can't obtain this evidence
because the contents of the filing cabinet have now changed or been removed.
In the computer world, the data stored on the disc itself is intangible,
however, the disc drive(s) are tangible. Our approach is to initially
"take the whole filing cabinet" as unwanted data can
be excluded in our discovery. If additional searches need to be performed
at a later date we already have entire 'filing cabinet' to pull the evidence
from without wondering if someone permanently altered or deleted data
in the computer at a later date.
EVIDENCE TAINTING
Accusations of evidence tainting are not rare in cases involving computer
data when the party who owns or acquires the computer data also analyzes
it. Issues such as accessibility to the data by other parties, experience
and credentials of the person who acquired and reviewed the data, as well
as other questions along these lines are typical.
For the above reasons it's not advisable for a spouse, employer, employee,
friend, etc. to perform the function of acquiring and reporting evidence
that has any chance of being litigated by any party.
Professional, third-party companies like FCS are experienced in this type
of work and considered neutral and unbiased. Evidence obtained and submitted
by professionals like FCS is likely to carry much more weight in front
of opposing counsel, corporate management, a jury or any other party.
THE PROCESS
FCS uses a four phase approach. Phase I consists of access to the
subject computer. Clients also have the option of removing the hard disc(s)
themselves or using a local, qualified technician to perform this task.
In this case we can typically ship your disc(s) back within twenty four
hours.
For critical and time sensitive cases clients may request FCS to come
on-site and acquire the data directly. On-site service is available in
the U.S. and Canada.
Phase II and Phase III consists of acquiring an exact image
of the entire disc(s). The disc(s) are accessed using a special program
which locks the disc drive so no contents can be altered.
The process creates the image copy on our evidence disc array so the subject
data can be verified and analized.
To ensure there are no errors or alterations, a disc "hash value"
is computed for each disc and then compared to the original media. The
hash value is a DNA fingerprint representing the contents of the source
disc at the date and time it was acquired.
This value is shown on all reports as proof that no one altered any data
acquired.
Phase IV is the analysis and reporting phase. The
analysis is based on search parameters you provide us. Once you have told
us what you are looking for we will start the analysis process. This can
take from several hours to several days depending on the complexity of
the parameters and the size of the data to be searched. Note that you
are not billed for 'machine time'. Machine time is hours used by our systems
to run programs without the need of a professional to monitor the system.
Many of our competitors bill you for both machine and staff time.
Reports are produced both in hardcopy and on CDROM or DVD. In cases where
opposing counsel or the Court requests copies of the acquired data, that
information can also be provided on CDROM of DVD.
FCS is prepared to testify on all information contained in the final report
and the methods used to acquire and process the evidence.
COST CONSIDERATIONS
If you are thinking about performing this type of work yourself or using
your corporate IT department or local computer technician, consider the
internal dollar cost and possibility of your evidence being tossed out
because of the method in which it was acquired, the qualifications of
those who worked on it, or, personal and business associations your friends
or staff might have with the subject.
The internal cost is not only the time you or other people spend performing
this work but also the time spent in possible depositions, staff moral
issues, other internal issues, gossip spreading and loss of work productivity.
All these may occur and can affect you, your business and most importantly:
the outcome of your case or situation.
Often times the cost to use professional, third-party firms like FCS far
outweigh the internal costs both in dollars and in winning your case.