Computer Forensics

It has been reported that approximately ninety percent of all information generated today is done in the electronic medium, and ninety percent of it will never leave its electronic form.  Therefore, it is crucial that the forensic examination of computers, laptops, tablets and cellphones be considered during any investigation.  This is why we have formally trained and certified Computer Forensic Examiners on staff in order to facilitate this type of specialized work for our clients.   Each of our examiners has years of work experience and are qualified to testify in court on a client’s behalf.

There are five basic steps in a typical Computer Forensics examination case.  These steps are: Intake, Acquisition, Imaging, Forensic Analysis, and Reporting.

Intake

Intake is the first step in the process of a computer or cellphone forensic examination.  This is when the examiner speaks with the client to discuss the purpose of the investigation; what the goals are; what perimeters may exist within the scope of the work being requested; and what results the client can expect at the conclusion of the case.  This is also when the examiner will ask the client to provide a set of what are referred to as “search terms” to be used during his or her examination.

Anyone who is considering having a computer forensic examination performed on a device or devices should understand that modern day computers contain a vast amount of memory, making the examination of every bit of data stored on one almost impossible, especially when there are time and/or budget constraints.  So providing the examiner with a comprehensive set of search terms to work with at the onset of the case is very important.   Search terms may include such things as a particular person’s name, an Email address, a telephone number, or the name of a city or a zip code.  Search terms can also include certain topics, a type of action or crime, or even a specific type of website.   Looking for evidence on a device that the user was viewing pornography, contacting a paramour, or visiting websites known for the solicitation of sex-for-hire services, are just a few examples of searches that our computer forensic examiners perform in our cases.

 

“Looking for evidence on a device that the user was viewing pornography,
contacting a paramour, or visiting websites known for the solicitation
of sex-for-hire services, are just a few examples of searches that our
computer forensic examiners perform in our cases.”

 

Acquisition

Acquisition is the process a forensic examiner uses to collect the device that the examination is to be performed on.  It should be noted that if a device is turned on when the client decides to have it examined, it should be left on. This is done to preserve any data that is stored in the device’s Random Access Memory (RAM).  Our examiner will know exactly how and when to turn a device off, in order to capture and preserve this information properly.

Imaging

The next step in the computer forensics process is called Imaging.   Imaging refers to when a forensics examiner makes an exact copy of the device’s hard drive.  The examination and analysis to follow is typically performed on this copy, rather than on the original device.  There are several methods used to make this image.  One method involves removing the device’s hard drive from the computer itself.  Another method is to connect the computer to a device called a “write blocker” with a cable.   A copy of the hard drive is then transferred to another computer through the cable.  Using a write blocker allows the examiner to copy the contents of the device’s hard drive without disturbing any of that data or leaving a trace.  This way the information is captured in its true, original form.

Forensic Analysis

The next step in the computer forensics process is called Forensic Analysis.  The examiner will first prepare the media stored on a device for examination by doing what is termed “mounting.”  He or she will then begin analyzing the data found on the image.  This is done by using several specialized computer software programs that are designed to search for traces of digital evidence.  It is important to note that the examination of a computer or cellphone’s is never limited to finding only the information that is visible to the user.  It will also find data that is located in hidden files, and that has been previously deleted by the device’s user.  This is because information that has been “deleted” will typically remain on a device’s hard drive until something new has been written over the top of it.

Reporting

Preparing a formal report on the findings is the next and final step in the Computer Forensics examination process.  This report will contain a complete description of the device(s) examined; the search terms that were used during the examination; and a breakdown of any relevant data that was identified during the process.  The examiner will also provide a summary of the investigation and make recommendations on any additional steps that should be taken.

To Learn More

For more about Computer Forensics and how the evidence obtained through this process can be utilized in a court of law, please consult with a licensed family law attorney working in your jurisdiction. If you would like to learn more about the investigative process itself or our investigation services in Reston, Virginia, please contact us using the information listed below.