What Our Analysis Process Looks Like

Our full forensic analysis is a detailed analysis of the device you submitted. If the focus is to identify emails, for example, we will not only review the emails in question but also identify digital artifacts that relate to the message. This type of examination is a lot more reliable because it means that our findings are being supported by digital artifacts that are found elsewhere on the device/network but relate to the specific message.

Before we even get to the analysis of the analysis phase though, there are several steps that we religiously practice ensuring that our clients get the best value for their money. The forensic process begins with the proper identification and collection of the digital evidence. Many cases have been thrown out of court simply because the collection process was incorrectly done due to budget constraints and inexperience. Our process emphasizes the collection phase and includes all the necessary documentation.

Muddling around on a cellphone or computer that may contain evidence can change so many things. This practice will almost always make any evidence found on the device questionable.  As a result, we create forensically sound copies of the device(s) to retain the integrity of the original device. The original device(s) and their original copies are retained in an evidence locker that can only be accessed by trained and certified examiners who know how to handle these items. An additional working copy is retained for the analysis phase.

In the analysis phase, the training, research skills and experience of the examiner will prove to be priceless. The examiner must draw on a wealth of knowledge from different sources to review the potential evidence item. They will create theories and attempt to debunk them. They will review the smallest details of each seemingly unrelated artifact to determine how they connect and why they exist. Once this is done, the examiner will then compile the data and attempt to connect the pieces of the “puzzle”. If everything seems to add up, then we validate it once again and try our best to shoot holes in the theory. We only proceed if the theories stand true and we know we can stand by the findings.

At this stage, we move on to the reporting phase. The reporting is where all the findings are sorted and organized in a logical format. Our aim is to make it as reader friendly as possible while retaining its technical value. This can often be time consuming, but the results speak for themselves as the material will ensure that all questions are answered, and all potential holes are identified and explained.

This process is practiced for every single one of our cases which is why we remain on top. Our examiners also continue to learn and grow daily. With the excessive availability of information out there, it can sometimes be overwhelming for people to learn and grow as they get tugged in all different directions. Our examiners have addressed this matter by joining specific groups and associating themselves with organizations that make the information sharing process seamless (or a lot less noisy). This accelerates the learning process and allows us to network with like-minded individuals so that we can provide the best results to our valued customers.

If a forensic team is willing to work on your device without following these important steps, then it means you may have to pay someone else to redo the examination and hopefully salvage what isn’t already lost.

 

Written by Kemar Wilks, Senior Certified Forensic Examiner.