Methodology

Our Forensic Methodology

Forensics is the scientific process of collecting and analyzing evidence for use in a legal system. Digital Forensics is a subset of the forensic sciences that deals with digital devices. Our standard operating procedures for handling forensic evidence can be summarized in the following steps:

Acquisition: First, a hardware write-blocker is put in place between the evidence and the target drive to ensure that no alteration to the original evidence is possible at any time during the acquisition. We only use sanitized (or verifiably clean) drives to acquire evidence. We also support hard drive encryption as an added layer of security and comfort for our clients. Using industry-standard software, a complete and identical ‘forensic image’ of each hard drive or other digital storage device is created. The industry-standard MD5 and SHA-1 cryptographic hash functions are used to calculate hash values (unique digital identifiers) for each storage device that is imaged. This process ensures our team that the forensically preserved image of the source hard drive is verified as being identical to the original. If the acquisition is conducted on-site, appropriate notes, photos, sketches of the scene, information regarding the systems under investigation and any additional relevant information are taken with the collected evidence.

Verification: Hash values of the acquired image are compared to the hash values of the original in order to prove the no alteration to the data has occurred and that the forensic image is indeed identical to the original evidence drive. Once the image has been verified, the original drive is no longer required for the investigation and is generally returned to the legal custodian. The drive is then bagged and a Chain of Custody form is filled out and attached (this must be done prior to leaving the scene for on-site acquisitions). This form is used throughout the case to maintain Chain of Custody records as required by law.

Preservation: Before the investigation of the acquired data can begin, a second identical forensic image is made. This second image becomes the ‘working copy’. This is done so that, if at any time anything were to change or become corrupt, we would be able to easily create another ‘working copy’. The working copy must also be ‘hashed’ and proven to be identical to both the first image and to the original evidence drive. Once the working copy has been created, the first image is placed in a fireproof evidence safe at our secure facility. It will only be removed from the safe if:

  1. The working copy becomes damaged or corrupted during analysis, in which a new working copy must be made by the same procedures as above, or
  2. The case has been resolved at which point all evidence images and working copies in our possession must be securely destroyed or returned to the legal custodian.

Sources of Digital Evidence

  • RAM Memory and hard drive storage from desktops, laptops and servers
  • External hard drives, memory sticks, memory cards, CDs, DVDs, Blu-ray
  • Digital cameras, DVRs
  • Floppies and backup tapes
  • Smartphones, Blackberries, iPhones, iPods, tablets, etc.
  • Game Consoles (xBox, PlayStation, etc.)
  • GPS devices (Garmin, TomTom, etc.)
  • VoIP devices (PBX, Voicemail, etc.)
  • Cloud based (DropBox, Microsoft 365, etc.)