Digital Forensics—the retrieval and analysis of Electronically Stored Information (ESI) requires a wide knowledge of techniques and technology, as well as a variety of very specialized, expensive equipment. MSA has plenty of both.
ESI is an essential component of civil and criminal matters, as well as regulatory investigations. MSA’s certified digital forensic professionals ensure that critical information is consistently identified, collected, preserved, and analyzed according to the rules of evidence.
We have the team, tools and technology to help you with digital forensics services including:
E-evidence Recovery and Analysis
Data Recovery
Document Discovery
Password Recovery
Mobile Device Forensics
Litigation Support
Expert Testimony
MSA’s Digital Forensics Team can perform on-site data acquisition and analysis of computers, networks and other digital devices. All analysis of devices is performed at our state-of-the-art laboratory.
Electronic Discovery is the identification and securing of electronically stored information (ESI) with the purpose of using it for its evidentiary value in either a criminal or civil proceeding. MSA Investigations’ Electronic Discovery or e-Discovery professionals have substantial experience in retrieving ESI, which can be stored in various forms including, e-mails, metadata, voice-mails, documents, instant messages, text, digital images, graphics, databases, spreadsheets, file fragments, audio files, and other forms of digital data. This data is often preserved from a variety of sources, which include handheld devices, computers, thumb drives, servers, and backup tapes. ESI is obtained and preserved by our professionals in accordance with the rules of evidence.
Some of the cases in which e-Discovery methodology has been employed by our specialists include the following:
Litigation Support
Copyright and Trademark Infringement
Employee Misconduct
Corporate Fraud
Tax Fraud
Digital Forensics is a scientific examination by a certified computer forensic specialist, which includes the identification, collection, preservation, and analysis of all forms of Electronically Stored Information (ESI) in such a way that the data obtained can later be used as evidence in a court of law, or in possible use for litigation.
Computers
iPads and Laptops
Smartphones and Most Other Cell Phones
MP3 Music Players, iPods
Hard Drives
Digital Cameras
USB Memory Devices
PDAs (Personal Digital Assistants)
Backup Tapes
CD-ROMs & DVDs
Unauthorized disclosure of corporate information
Theft of intellectual property or trade secrets
Employee Internet abuse or other violations of a computer policy
Workplace misconduct
Damage assessment and analysis
Industrial espionage
Negligence, sexual harassment, and deception cases
Evidence collection for future employee termination
Criminal fraud and white-collar crime
More general criminal cases and many civil cases
Data Recovery of deleted, encrypted or hidden computer files even after a hard drive has been reformatted or repartitioned
Passwords for password-protected or encrypted files
Determination of:
Web sites that have been visited
Files that have been uploaded or downloaded
When files (docs, pictures, etc.) were last accessed/deleted
User login times and passwords
Discovery of:
Attempts to conceal, destroy, or fabricate evidence
Text that was removed from the final document version
Faxes sent or received on a computer
Deleted email, texts, webmail, and attachments
Other types of communications strings such as Instant Message chat logs
Deleted emails can be recovered in the majority of cases, but there is no guarantee.
When emails are deleted from your Inbox there is still a chance that they reside on the server or in other areas of a computer. Computer forensic tools and methods allow for the data extraction and examination of email storage including information that had been previously deleted.
Web-based email programs such as these do offer the ability to recover information even when the computer is not on the Internet. Web browsers (Internet Explorer, Firefox, Chrome, Safari, etc.) store temporary internet files on the computer that can later be retrieved by computer forensics.
Although each situation is unique, there is a very good chance that a Digital Forensics investigator can recover deleted files from the subject’s hard drive. When a file is deleted using standard methods, the contents of the file are not actually erased from the hard drive; the operating system merely erases a pointer to the file so that the file does not appear in the folders or directories, the file is actually still there. Contrary to popular belief, digital files are not vaporized when the delete button is pushed, and therefore, such files are usually recoverable and usable.
A certified Digital Forensic examiner will have a combination of sophisticated hardware tools and software programs to unlock certain types of password protected files. Depending on the type of file and the speed of the computer, some programs can try hundreds of thousands of passwords per second. However, longer and more complex passwords are more of a challenge to crack.
Briefly, it’s data about the data. Metadata is very important in Digital Forensics investigations as it describes essential aspects of the data (or document) including information about the author of the document, the last print time, or when the file was created, accessed, or modified. Metadata requires the same forensic scrutiny as any other form of data and often is not visible unless special tools and methods are used.
Most importantly, let’s begin with what you should NOT do:
Do NOT use the computer or attempt to search for evidence, as any further use of the computer may damage and taint any evidence that might exist on the device.
Do NOT turn it on. If the suspected computer is turned off, leave it off. By powering on the system you run the risk of changing the data on the computer forever and losing valuable evidence.
Do NOT initiate a normal “Shut Down” process and shut the computer off. If you must shut down the computer, unplug it from the back of the tower or the outlet.
Do NOT type on the keyboard or move the mouse.
Do NOT allow the internal IT staff to conduct a preliminary investigation.
Do NOT remove any USB Drives/Devices, SD cards, or other devices that are connected to the computer.
Here’s what you CAN do:
Do store the computer in a secure place.
Do keep a detailed log of:
Who had/has access to the computer
What was done, if anything
When was it done
Where the computer has been stored since the incident
Do photograph the screen if computer is “on” and something is displayed on the monitor.
Do contact MSA Investigations immediately.
Cell phones, iPads, digital cameras, and other mobile devices store data directly to internal memory that is more volatile, and can be lost when the device is shut off or the battery is depleted (or removed). Please follow these guidelines to secure these devices for future examination:
If the device is “off”, do not turn it “on”.
If the device is "on", leave it "on". Shutting down the device could enable password, thus preventing access to evidence and/or result in the loss of data evidence.
Photograph device and screen display (if available).
Label and collect all cables and transport with the device.
Keep the device charged.
If the device cannot be kept charged, analysis by a specialist must be completed prior to battery discharge or the data may be lost.
Document all steps involved in the seizure of the device and its components.
The longer a computer or digital device is used or awaits inspection, the higher probability that the digital evidence will be tainted or lost. It’s also true that the simple act of turning the computer on or looking through files can potentially damage the very data you’re seeking. The file creation dates can change, files can be overwritten, and evidence can be corrupted. But all of these risks can be lessened by contacting a Computer Forensics expert immediately, and acquiring an image of the computer as quickly as possible without destroying or altering any valuable evidence.
There are four main reasons why in-house IT is not the best choice for such a task:
Recording the “Tracks”
Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irretrievably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.
Untainted Data
Even if proper evidence handling techniques have been used by in-house IT, the collection process itself has altered and has likely tainted the data collected. We have seen it happen. We often receive computers to examine after a company's computer personnel have attempted to recover evidence from it. In their attempts they have destroyed important evidence such as the date that files were last accessed.
Evidence Integrity
In addition to the lack of skills, hardware, and software, using an in-house employee can make you vulnerable to allegations of fabricating evidence and other impropriety. You should avoid conflicts of interest that arise from using your own IT staff by hiring an independent expert. An outside computer forensics expert should be brought in as soon as possible to work with the IT, legal, and/or compliance personnel to offer an outside-unbiased perspective. Courts favor use of neutral third-party analysis.
Legal Expertise
It is unlikely your employee qualifies in court as an expert in the forensic examination of a computer. As non-experts, they would only be allowed to testify to facts, and would not be permitted to testify to opinions or conclusions as an expert would.
Depending on the damage done by the internal IT staff, a skilled computer forensics vendor may be able to salvage some of the damaged evidence. However this can be an arduous and time-consuming process that often costs several times more than the original analysis would have cost.
The goal of data recovery procedures is solely to recover the files and folders lost from damaged disk drives, media, computers, peripherals or operating systems due to disk or system failure, unintentional deletion, or other unexpected circumstance, without monitoring the usage of the device. Generally, data recovery could be considered the first step in gathering evidence in a computer forensics investigation.
Digital Forensics is concerned with providing evidence (or proving a lack of evidence) regarding how a computer was used, what files were accessed and at what time, and who had accessed them. Digital Forensics investigators are able to find, assemble, analyze, and explain large amounts of digital information that would not be particularly helpful for data recovery services, but are invaluable in a court of law.
In Digital Forensics, there are three types of data that we are concerned with: active, archival, and latent.
Active data is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
Archival data is data that has been backed up and stored. This could consist of backup tapes, CD's, floppies, or entire hard drives to cite a few examples.
Latent data is the information that one typically needs specialized tools to access. An example would be information that has been deleted or partially overwritten.
The first step is to clearly determine the purpose and objective of the Investigation. Then they will secure the subject computer system from tampering or unauthorized changes during the investigation.
Next, the Investigator “discovers” all files on the subject's system. In many cases, information gathered during a computer forensics investigation is not typically available or viewable by the average computer user, such as deleted files and fragments of data that can be found in the space allocated for existing files (known by digital forensic practitioners as slack space). Special skills and tools are needed to obtain this type of information or evidence.
Then, the investigator copies, protects, and preserves the evidence from any possible alteration, damage, data corruption, or virus introduction that may render the evidence inadmissible in court.
After that, the Investigator recovers all deleted files and other data not yet overwritten. A deleted file will remain resident on a hard drive until the operating system overwrites all or some of the file. So in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The ongoing use of a computer system may destroy data that could have been extracted before being overwritten.
Finally, the investigator includes an analysis of all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file.
The Digital Forensics expert will provide a detailed report that explains:
Processes taken in acquiring and securing the electronic evidence
Qualifications of the examiner
Scope of the examination
Findings of the examination
Conclusions
Please note, the findings section may include file listings including file date/timestamps, document printouts, e-mail printouts, digital photographs, audio files, internet logs, timelines, text fragments extracted from unallocated space on the hard drive, and keyword search results.
The examiner’s conclusions may be the most critical component of the final report. These conclusions based upon the examiner’s expertise and experience in the field of computer forensic technology often forms the basis for expert testimony in a court proceeding or for the filing of an affidavit.
Maecenas vitae sem non nulla sagittis eleifend a vel nunc. Donec suscipit est non magna sodales malesuada. Nunc a tincidunt augue, vulputate feugiat nulla. Nulla magna arcu, pretium eu efficitur eget, auctor id turpis.
Cras elit neque, imperdiet eu dignissim ut, dictum a tortor. Ut vitae malesuada eros, eu rutrum velit. Vestibulum et ex id lorem faucibus blandit nec quis nunc. Suspendisse consequat ornare neque, eget porttitor erat pretium a.
Cras elit neque, imperdiet eu dignissim ut, dictum a tortor. Ut vitae malesuada eros, eu rutrum velit. Vestibulum et ex id lorem faucibus blandit nec quis nunc. Suspendisse consequat ornare neque, eget porttitor erat pretium a.
Maecenas vitae sem non nulla sagittis eleifend a vel nunc. Donec suscipit est non magna sodales malesuada. Nunc a tincidunt augue, vulputate feugiat nulla. Nulla magna arcu, pretium eu efficitur eget, auctor id turpis.