• Perform personal and Confidential Consultations with key individuals associated with the Data Discovery Process.
Identify ‘key’ evidentiary components
• Interview individuals involved to develop investigative strategies
• Identify Source Evidence components (Computer, Mobile Device, Tablets etc)
Preservation of the Computer Evidence
• Evidence Chain-Of-Custody – (establish / document / preserve)
• Acquire Source (key) Evidence – Building a Data Dump (DD) Image
• Utilizing ‘Forensically Sound’ set of protocols to investigate
Analysis and Restoration of Key Evidence
• Recover key information from the acquired image (DD) data.
• Deleted, Hidden, Encrypted, and obfuscated files and metadata
• Metadata – (.exif)
• Partial remnants
• Registry components (last documents accessed, Registry item time stamps)
• Password recovery and decryption (building indexed word lists)
Analyze Evidence (Attempt to establish motives)
• Perform key-word searches (browser searches - manually entered searches keyed into browsers)
• Establish time-lines
• Establish moods
• Establish connections / accomplice(s)
• Establish actions taken to obfuscate data
• Establish possible motives
Documentation and Presentation of Computer Evidence
• Detailed reports
• Recovered documents - (previous versions of Microsoft Excel and other Microsoft documents)
• Recovered file and data remnants
• Decrypted Documents
• Local E-Mail audit (Local artifacts are those associated with a locally installed E-mail client)
• Recovered Graphics (.exif data containing GPS data, what type of camera took the picture, when the picture was actually taken)
• Internet Related - (what and when were they looking at specific sites, what they manually keyed into the browser line)
• Web Mail artifacts – Cached artifacts into Internet History, pagefile, system volume, applications)
• Internet Surfing Audit - Where are they going?
• Down-load Audit - What did they download ?
• Up-load Audit – What did they upload ?
• File Transfer (FTP) – What did they transfer ?
• Vulnerability Audit (Remote Access) – Are there key loggers on the device?, is there Capture-ware on the device?
• Identity Theft Audit – Where there attempts to log into social media, email and other sites requiring login userid and passwords ?
• Hashed files MD5 and SHA
• Reconstruction of time lines where possible*
Trial Depositions and Testimony associated with computer / Tablet related incidents and Digital Forensics as required.
* Not all data found in ‘unallocated disk space, file slack and system files such as the pagefile.sys will contain time stamped artifacts