We are meticulous in documenting each stage of the forensic examination process. To avoid evidence contamination, we use only new sanitized drives to store images. Plus, we use hard drive encryption as an added layer of security.
1. Acquisition of Data as Evidence
We use a write-blocking device to isolate evidence and prevent any alterations to data. A complete and identical forensic image is made of each hard drive or other digital storage components.
2. Verification of Data
Industry-standard MD5 and SHA1 hash algorithms are used to calculate hash values (unique digital identifiers) for each imaged device to ensure that the forensically preserved image of the source hard drive is identical to the original.
3. Preservation of Evidence
A second image is made and used as a ‘working copy’ while the first image is stored in our fireproof evidence floor safe in our secure evidence storage facility.
4. Analysis of Data
As required by law, a Chain of Custody form is maintained throughout the investigation to guard against evidence tampering. When the analysis is concluded, all evidence images and working copies are securely destroyed or returned to the legal custodian.
5. Presentation of Evidence
Based on evidence accumulated during our analysis of the data, our Certified Forensics Examiners prepare a report of our impartial findings. Our examiners are skilled at presenting data in courtrooms and explaining Digital Forensics issues in court.
Equipment We Use to Preserve Evidence Integrity
- Forensic Computers: dedicated exclusively for use in our forensics lab to prevent data corruption.
- Write-Blocking Devices: prevents evidence corruption by restricting the use of data to the read-only format.
- Imaging Devices: an exact & complete 1:1 copy is made to preserve and protect the original.
- Encryption Hardware: protects sensitive data using encryption algorithms.