Vestige, Ltd - Specializing in Computer Forensics, Electronic Discovery of Evidence and litigation related fact-finding through the analysis of computer data.

How exactly does Computer Forensics work?

The Computer Forensics Examiner will take several careful steps to identify and extract all relevant data that is resident on a subject’s computer system. Forensic analysis will extract the data that can be viewed by the operating system, as well as data that is invisible to the operating system. Proper forensic protocol will:

• Protect the evidence during the forensic examination from any possible alteration, damage, data corruption, or virus introduction. A write-blocking device should be used at the time the computer is acquired to ensure that the evidence is not damaged, tainted or is in any other way rendered inadmissible in court.

• Use Forensically Sound protocols at all times during the investigation to ensure that the information on the computer is admissible in court. Assume that every case/situation could end up in the legal system. If your Computer Forensics Examiner doesn’t make that assumption, find someone else. From write-blocking techniques, to MD5 hash values and Chain of Custody. Make sure they focus on sound forensic procedures.

• Address the legal issues at hand in dealing with Electronic Evidence, such as relevant case law, how to navigate the discovery process, protection of privilege, and in general, working/communication with attorneys and other professionals.

• Discover all files on the subject's system. This includes existing normal files, and invisible files; deleted yet remaining files, hidden files, password-protected files, and encrypted files.

• Recover all deleted files and other data not yet overwritten. As a computer is used, the operating system is constantly writing data to the hard drive. From time to time, the operating system will save new data on a hard drive by overwriting data resident on the drive but no longer needed by the operating system. A deleted file, for example, will remain resident on a hard drive until the operating system overwrites all or some of the file. Thus, in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten. Fortunately, the costs of acquisition are very reasonable, and the process is not disruptive. Click for our Spoliation Letter.

• Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file (the unused space at the end of a file, in the last assigned disk cluster, that may be a possible site for previously created and relevant evidence).

• Report Analysis of the computer system, as well as provide you a copy of all relevant data, parsed in a format and arranged to be integrated into your legal theories and strategies. In an appropriate case, the forensic analysis will also opine regarding the system layout, file structures, attempts to hide, delete, protect, encrypt information, and anything else that has been discovered and is relevant to the matter.

• Provide Expert consultation and/or testimony, as necessary. Many times attorneys are disappointed with the quality of expert testimony. A good computer forensic company will have trained its experts to appear in court to support motion practice, discovery disputes, and at trial.

Close