Digital Forensics FAQs
Digital forensics is often used to determine how a data breach occurred or to recover deleted data, though there are many other reasons why digital forensics might be employed. Our cases generally start with a telephone conversation with a prospective client to see what the client is looking for or what they are trying to prove. In virtually every case, the potential client has questions and so do we.
In most cases, we are looking for deleted data. Forensic images (exact copies) of the phones/computers/tablets involved are then created. This preserves the systems and all of the data from being overwritten intentionally or by normal system processes.
The creation of an image also allows us to create backups – we do our analysis on these backups – not on the originals. This is important because it can help to protect you from spoliation claims if the opposing counsel requests access to the evidence for their own expert to perform an investigation.
We then use specialized software and techniques to begin our analysis. This is where the training and skill of our forensic investigators becomes invaluable. They will sort through the massive amount of information that can be contained on devices to find and interpret the information that will be the most useful and important for your situation.
It is hard to think of situations in which digital forensics could not be useful to some extent. About 25% of our cases involve criminal charges, including child pornography, terrorism, murder and virtually every other crime you can think of. Another 25% involve family law, where we are looking for such things as evidence of adultery, hidden financial assets, evidence of a parent being unfit, gambling and drug addictions, etc. Another 25% of our cases involve the theft of proprietary data, which is rampant in the digital era, when data is so easy to copy onto a device or send via e-mail. The rest of our cases involve just about every other area of law.
You generally want to hire an expert early. You may only need an hour or two of advice in the beginning, but that advice can be critical and will prevent you from making mistakes. Commonly we see critical information being overwritten by normal processes that phones and computers perform. It is also important to write a legal hold notice to your own client and preservation of evidence letter to the opposing side – experts will help guide you in the composition of such letters.
At Sensei, your data is stored in a secured digital forensic lab, accessible only by means of a proximity card and biometric access. For high-profile cases, we store the data in a fire-safe with dual authentication, which can only be accessed by officers of the company. Video records everyone coming into the lab. We also employ motion sensors and cameras that monitor everyone who enters and leaves our offices.
Good preservation of evidence letters need the help of a digital forensics technology to craft. Obviously, we are careful to maintain chain of custody using forms designed for that purpose. We work only on backups so the original evidence that comes into our possession is preserved.
Yes. Our experienced experts can assist counsel in drafting language that will allow us to collect all the pertinent digital information in your matter. Few lawyers can craft that sort of technical language.
Most of the time, we are hired by law firms. However, there are also many cases in which we are hired directly by individuals or companies.
We can, especially in Virginia, Maryland, and D.C. where we work most often. There are several qualified lawyers and law firms to which we can direct you. We receive no compensation for such referrals – we simply try to match the right firm or lawyer with the work you need to have done.
There is no easy answer. This is why it is important to call and talk to a digital forensics examiner – to give you an estimate, we have to understand the scope of the work that needs to be performed. Certainly, the volume of data will impact the time as does the complexity of the analysis.
We strive to have a minimal impact on you and your business. However, in many cases, there will have to be some small disruption. These disruptions are caused by the preservation of all relevant information needed to properly handle your unique situation. We have a flexible team that can work with you to find the best solution that meets your needs and budget. We often do some work at night or on weekends to minimize disruption.
It sure is and we’ve seen exponential growth in such evidence in the last few years. While we still see plenty of desktop computers, they have been joined in digital forensics by an untold number of mobile devices. We routinely collect evidence from servers, cloud storage, removable media such as USB drives or external hard drives, tablets, iPads, and smartphones such as iPhones, Windows phones and Android phones.
We include two questions above because we see so many family law cases. But more generically, folks often believe someone has unauthorized access to their e-mail. When attempting to verify if unauthorized access of your e-mail account has taken place, Sensei uses different tools and methodologies depending on the specifics in your case. We get information from local web browser history, event logs and web mail records and other sources to determine if there has been unauthorized e-mail access and to provide you with proof of that access.
Yes, Sensei has the capability to preserve numerous kinds of data found on social networking sites in a way that will help with authentication in court, if necessary. In some situations, it is even possible to make collections of entire social network profiles from sites like Facebook, LinkedIn, Twitter, and others. The cost is usually not terribly expensive – and having a third party do the preservation of social media avoids the problems of authenticating self-preserved data if you must go to court.
Each case is different. Collecting digital evidence can be a complex and delicate process. Our examiners have in-depth training, certifications, and specialized hardware and software that will allow them to effectively collect all the information contained on your devices or those in the possession of someone else, without modifying any of the collected data.
Deduping or deduplication is the process of removing identical copies of individual files from a data set. This process often allows for a faster review of large datasets by eliminating the need to manually review identical files. This is usually performed through the comparison of hash values.
Metadata is data stored within a file’s structure that describes the file itself. While there are numerous possible types of information that can be stored as metadata, some of the more common include time stamps, creator/author information, camera information, last print time, last accessed time, last modified time and last saved date.
Unallocated space is described most simply as space on storage media that is available to have data written to it. Just because space is considered unallocated does not mean that there is not useful information still present. When a user deletes a file, say by placing the file in the recycle bin and then emptying the recycle bin, the operating system for that device marks that file as a place where new data can be written to in the future, but does no more. Therefore, the contents of that deleted file may exist for days, weeks, even years after the file was “deleted” by the user.
De-nisting is the process of removing files from a data set that can be identified as non-user created. The types of files generally removed by this operation include operating system files and files belonging to commercial computer programs. These files are identified by matching hash sums to hashes contained within the National Software Reference Library hash sheets. These listings are maintained by the National Institute of Standards and Technology, or NIST.
The process of creating a hard drive image or forensic copy involves creating a bit for bit copy of all data stored on a piece of storage medium. This copy will include all existing information as well as recoverable deleted information and unallocated space.
The process of finding data that was thought to be lost or destroyed. Often when data is deleted, it remains on its storage media in a recoverable state for a period of time. Data recovery techniques are also used to extract data from failed devices such as hard drives in an external case or the computer itself.
A data breach is the unintended release or compromise of sensitive and confidential information stored on digital media. Any sensitive and confidential data can be subject to a data breach including financial information and other personal information that can be used for identity theft, health care records, login credentials, etc. In some breaches (such a stolen laptop), the thief may be uninterested in the data. But data theft for criminal purposes has increased dramatically in recent years, which is why Sensei opened an information security division to complement its IT managed services division and digital forensics division.
The term hashing in digital forensics refers to the process of verifying a file’s integrity by using a cryptographic algorithm to create a signature of that file. This signature value can be thought of as a unique “digital fingerprint” of the file itself. These hash values are used to verify that copies of evidence, such as hard drive images and individual files, are identical to the original evidence. The underlying digital data has not been changed if the hash value remains constant.
Digital forensics combines specialized techniques with the use of sophisticated software to view and analyze information that cannot be accessed by the ordinary user. This information may have been “deleted” by the user months or even years prior to the investigation or may never have been deliberately saved to begin with – but it may still exist in whole or in part on the device. However, you cannot know what precisely is on your phone or tablet – it takes digital forensics software and knowledge to retrieve the data that the user cannot access.
There is potential for mobile phone forensics to be performed remotely , but it is not preferred. We understand how big a role your phone or tablet plays in your life, so we try to limit the amount of time that we need your device as much as possible! Typically, we only have to have your phone or tablet in our possession for at least one day, but sometimes circumstances require us to keep the phone for a bit longer.
Can existing and previously existing information be retrieved from an Apple or Android smartphone or Windows computer?
Yes. Sensei has the capability to recover existing/previously-existing information from the majority of devices on the market, especially smartphones; however, we cannot determine our full capabilities until we know the make, model and carrier of a particular device.
The type and amount of information that can be recovered from a mobile phone is dependent on many different factors including the make and model of the phone, how intensively the phone is used, and how long ago the information was deleted. No one can guarantee precisely what can be recovered from mobile phones.
Yes, however, it is very unlikely that a mobile phone is hacked/compromised with spyware unless one of the following is true:
1) Physical access was given to another individual.
2) The device is jailbroken/rooted.
This can be quite difficult to determine on your own, however, it is best to search your device for any applications that you may not have installed. Malicious files typically run in the background of a device’s file system, in order to remain covert. There are several spyware type products that are extremely difficult to detect even with digital forensics.
Data recovery on mobile devices depends on the model number and the specific application(s) of interest. Every third-party application stores user-generated data in a different fashion; therefore, it is impossible to state that deleted information can or cannot be recovered from a specific application without analyzing both the device and program in question.
For someone to spy on your phone by using Apple’s iCloud service, they would need to have your Apple ID username and password. The first setting you should verify is the list of devices attached to your iCloud account, located within the Settings — iCloud account. If you see devices listed that you are not familiar with, your iCloud data could be synchronizing with other Apple devices.
Some additional things that you can look for on your iPhone are increased Screen Time activity, very slow startups or shutdowns, apps that suddenly shut down, or new apps on your device that you did not download or install.
If you think your device is being monitored, the first step that you should immediately take is creating a new Apple iCloud account to use on your device and removing the compromised account.