WHEN DO YOU NEED DIGITAL FORENSICS AND HOW CAN IT HELP?
Digital forensics is often used to determine how a data breach occurred or to recover deleted data, though there are many other reasons why digital forensics might be employed. Our cases generally start with a telephone conversation with a prospective client to see what the client is looking for or what they are trying to prove. In virtually every case, the potential client has questions and so do we. In the majority of cases, we are looking for deleted data. Forensic images (exact copies) of the phones/computers/tablets/devices involved are then created. This preserves the systems and all of the data from being overwritten intentionally or by normal system processes.
The creation of an image also allows us to create backups – we do our analysis on these backups – not on the originals. This is important because it can help to protect you from spoliation claims if the opposing counsel requests access to the evidence for their own expert to perform an investigation. We then use specialized software and techniques to begin our analysis. This is where the training and skill of our forensic investigators becomes invaluable. They will sort through the massive amount of information that can be contained on devices to find and interpret the information that will be the most relevant and important for your situation.
WHAT KINDS OF CASES REQUIRE DIGITAL FORENSICS?
Today’s widespread use of technology makes it difficult to think of cases in which digital forensics could not be useful. Many of our cases involve criminal charges, including child pornography, terrorism, racketeering, murder and virtually every other crime you can think of. Another portion of our casework involves the theft of proprietary data, which is rampant in the digital era, where data is easily copied, uploaded to cloud-storage websites or sent via email. We also deal with cases involving family law, where we are looking for such things as evidence of adultery, hidden financial assets, evidence of a parent being unfit, gambling and drug addictions, etc. The rest of our cases involve just about every other area of law. Additionally, we have clients that may need data recovered or retrieved from electronic devices.
WHEN SHOULD I HIRE A DIGITAL FORENSICS COMPANY?
You usually are doing yourself a favor if you hire an expert early. You may only need an hour or two of consulting in the beginning, but that advice can be critical and will prevent you from making mistakes. Commonly, we see critical information being overwritten by normal processes that mobile devices and computers perform. It is also important to write preservation of evidence letters, to your own clients and to the opposing side – experts can help guide you in the composition of such notices. When you invest in a digital forensics company, your data is gathered and examined in a forensically sound manner that will hold up in court.
HOW WILL MY DATA BE SECURED WHEN IN THE POSSESSION OF A DIGITAL FORENSICS COMPANY?
At Sensei, your data is stored in a secured digital forensic lab, accessible only by means of a proximity card and biometric access. For high profile or extremely sensitive cases, we store the data in a fire-safe with dual authentication, which can only be accessed by the three officers of the company. Video surveillance records everyone coming into and leaving the lab. We also employ motion sensors and cameras that monitor everyone who enters and leaves our offices. Our layered security systems protect the data that we store 24×7.
HOW CAN YOU PREVENT THE SPOLIATION OF DIGITAL EVIDENCE?
Good preservation of evidence letters need the help of a digital forensics technologist to craft. We are careful to maintain chain of custody with forms that document the sequence of evidence transfer. Additionally, we only perform analysis on backups so the original evidence that comes into our possession is preserved.
CAN YOU HELP WITH THE TECHNICAL LANGUAGE FOR A SUBPOENA?
Yes. Our experienced experts can assist counsel in drafting language that will allow us to collect all the pertinent digital information in your matter. Few lawyers have the ability to craft that sort of technical language.
WHO USES DIGITAL FORENSICS COMPANIES?
Frequently we are retained by a law firm or a company to perform digital forensic analysis and examination, however we are also happy to take on individuals as clients.
CAN YOU REFER ME TO A LAW FIRM THAT UNDERSTANDS DIGITAL FORENSICS?
We can, especially in Virginia, Maryland and D.C. where we work most often. There are a number of qualified lawyers and law firms to which we can direct you. We receive no compensation for such referrals – we simply try to match the right firm or lawyer with the work you need to have done.
HOW LONG DOES DIGITAL FORENSICS WORK TAKE?
The best answer we can give you is that it depends. This is why it is important to call and talk to a digital forensics examiner to discuss the work needed. In order to give you a time estimate, we have to understand the scope of the work that needs to be performed. Certainly the volume of data and types of searches and analysis required will impact the time.
HOW WILL DIGITAL FORENSIC WORK INTERFERE WITH MY BUSINESS?
We strive to have a minimal impact on you and your business. However, in the majority of cases, there will have to be some small disruption. These disruptions are caused by the preservation of all relevant information needed to properly handle your unique situation. We have a flexible team that can work with you to find the best solution that meets your needs and budget. We have the ability to do some work at night or on weekends to help minimize disruption to you and your business.
IS DIGITAL EVIDENCE ON MOBILE DEVICES?
It sure is and we’ve seen an exponential growth in such evidence in the last few years. While we still see plenty of computer systems, they have been joined in digital forensics by an untold number of mobile devices. We routinely collect evidence from smartphones and tablets. We have the ability to work with most devices on the market including Apple iPhones/iPads and Android devices from companies like Samsung, LG and many more.
IS MY SPOUSE ACCESSING MY EMAIL ACCOUNTS? IS SOMEONE READING MY EMAIL?
We include two questions above because we see so many family law cases. But more generally, users often believe someone has gained unauthorized access to their email. When attempting to verify if unauthorized access has taken place, Sensei uses different tools and methodologies depending on the specifics in your case. We get information from local web browser history, event logs, web mail records and other sources to determine if unauthorized email access has occurred and provide you with proof of that access.
CAN YOU PRESERVE OR SAVE A FACEBOOK PAGE OR OTHER SOCIAL MEDIA PAGES OR POSTS?
Yes, Sensei has the capability to preserve numerous kinds of data found on social networking sites in a way that will help with authentication in court, if necessary. In some situations, it is even possible to make collections of entire social network profiles from sites like Facebook, LinkedIn, Twitter, and others. Cost-effectively having a third party perform the preservation of social media avoids the problems of authenticating self-preserved data if you have to go to court.
HOW IS DIGITAL EVIDENCE COLLECTED?
There are so many answers to this question – each case is different. Collecting digital evidence can be a complex and delicate process. Our examiners have in-depth training, certifications and specialized hardware and software that will allow them to effectively collect the information contained on your devices or those in the possession of someone else, without modifying any of the collected data. These days, we often collect evidence remotely, directly from your network or even directly from a cloud source with the appropriate account credentials.
WHAT IS DEDUPING?
Deduping or deduplication is the process of removing identical copies of individual files from a data set. This process often allows for a faster review of large datasets by eliminating the need to manually review identical files. This is usually performed through the comparison of hash values.
WHAT IS METADATA?
Metadata is data stored within a file’s structure that describes the file itself. While there are numerous possible types of information that can be stored as metadata, some of the more common include time stamps, creator/author information, camera information, last print time, last accessed time, last modified time and last saved date.
WHAT IS UNALLOCATED SPACE?
Unallocated space is described most simply as space on storage media that is available to have data written to it. Just because space is considered unallocated does not mean that there is not useful information still present. When a user deletes a file, say by placing the file in the recycle bin and then emptying the recycle bin, the operating system of that device marks the space that the file was occupying as a place where new data can be written to in the future, but does no more. Therefore the contents of that deleted file may exist for days, weeks, even years after the file was “deleted” by the user.
WHAT IS DATA CARVING?
Data carving is a technique that a forensic examiner uses to attempt to recover information that has been deleted. This is possible because of how files identify their type (.doc, .docx, .txt, .pdf, etc.) to an operating system. They do this by having a unique combination of hexadecimal characters at the beginning (header) of the file and a sometimes a different unique combination of hexadecimal characters at the end (footer) of the file. These strings of characters are not visible to the user and have no meaning for them, – this is simply done so the operating system and software programs know what they are working with. For example when you save a .docx file to your computer, the first thing that is recorded to your storage media is the hexadecimal characters “50 4B 03 04 14 00 06 00” and towards the end of the file the hexadecimal characters “50 4B 05 06” will be found. With specialized software it is possible to search for these strings of characters and extract (carve) the information that exists between them. Carving is possible for many file types and not just documents.
WHAT IS DE-NISTING?
De-NISTing is the process of removing files from a data set that can be identified as non-user created. The types of files generally removed by this operation include operating system files and files belonging to commercial computer programs. These files are identified by matching hash sums to hashes contained within the National Software Reference Library hash sheets. These listings are maintained by the National Institute of Standards and Technology, or NIST.
WHAT IS HARD DRIVING IMAGING?
The process of creating a hard drive image or forensic copy involves creating a bit-by-bit copy of all data stored on a piece of storage medium. This copy will include all existing information as well as recoverable deleted information and unallocated space.
WHAT IS DATA RECOVERY?
The process of finding data that was thought to be lost or destroyed. Often, when data is deleted it remains on its storage media in a recoverable state for a period of time. Data recovery techniques are also used to extract data from failed devices such as hard drives in an external case or the computer itself.
WHAT IS A DATA BREACH?
A data breach is the intended or unintended compromise of sensitive and confidential information stored on digital media. Any sensitive and confidential data can be subject to a data breach including financial information and other personal information that can be used for identity theft, health care records, login credentials, etc. In some breaches (such a stolen laptop), the thief may be uninterested in the data. Data theft or compromise for criminal purposes has increased dramatically in recent years, which is why Sensei opened a cybersecurity division some years ago.
WHAT IS HASHING?
The term hashing in digital forensics refers to the process of verifying a file’s integrity by using a cryptographic algorithm to create a signature of that file. This signature value can be thought of as a unique “digital fingerprint” of the file itself. These hash values are used to verify that copies of evidence, such as hard drive images and individual files, are identical to the original evidence. The underlying digital data has not been changed if the hash value remains constant.
CAN MOBILE FORENSICS BE PERFORMED REMOTELY?
Unfortunately mobile phone forensics cannot be performed remotely. We understand how big a role your phone or tablet plays in your life so we try to limit the amount of time that we need your device as much as possible. Typically, we only need to have your phone or tablet in our possession for one to two days, but sometimes circumstances require us to keep the phone for a bit longer.
WHAT IS MOBILE/DIGITAL FORENSICS?
Digital forensics combines specialized techniques with the use of sophisticated software to view and analyze information that cannot be accessed by the ordinary user. This information may have been “deleted” by the user months or even years prior to the investigation, or may never have been deliberately saved to begin with – but it may still exist in whole or in part on the device. However, you cannot know what precisely is on your phone or tablet – it takes digital forensics software and knowledge to retrieve the data that the user cannot access
CAN EXISTING/PREVIOUSLY-EXISTING INFORMATION BE RETRIEVED FROM AN APPLE, ANDROID, BLACKBERRY, OR WINDOWS OS DEVICE?
Yes. Our company has the capability to recover existing/previously-existing information from the majority of devices on the market, especially smartphones; however, we cannot determine our full capabilities without knowledge of the make, model and carrier of a particular device.
WHAT DELETED INFORMATION CAN BE RECOVERED FROM MOBILE PHONES?
The type and amount of information that can be recovered from a mobile phone is dependent on many different factors including the make and model of the phone, how intensively the phone is used, and how long ago the information was deleted. No one can guarantee precisely what can be recovered from mobile phones.
WHAT IS THE DIFFERENCE BETWEEN A SMARTPHONE AND A FEATURE PHONE?
Feature phones contain a limited amount of storage space and user applications, whereas smartphones contain the capability to match a computer system’s storage and application limitations. Smartphones are essentially computers that can make phone calls.
IS IT POSSIBLE TO HACK A MOBILE PHONE?
Yes, however, it is very unlikely that a mobile phone is hacked/compromised with spyware unless one of the following is true:
1) Physical access was given or available to another individual.
2) The device is jailbroken/rooted.
HOW CAN YOU DETECT/TELL IF SPYWARE OR OTHER MALWARE IS INSTALLED ON YOUR MOBILE PHONE?
This can be quite difficult to determine on your own; however, it is best to search your device for any applications that you may not have installed. Malicious files are typically run in the background of a device’s file system, in order to remain covert. There are several spyware products that are extremely difficult to detect even with digital forensics.
IS IT POSSIBLE TO RECOVER DATA FROM A THIRD PARTY APPLICATION ON MY MOBILE DEVICE?
Data recovery on mobile devices depends on the model number and the specific application(s) of interest. Every third party application stores user-generated data in a different fashion; therefore, it is impossible to state that deleted information can or cannot be recovered from a specific application without analyzing both the device and program in question.
Here is a sample list of third party communication programs from which the extraction of existing information is possible: WhatsApp, Viber, Twitter, PingChat, Skype, Yahoo Messenger, KIK Messenger, ICQ, Snapchat, TigerText, Facebook Messenger, BBM, TextNow, Textfree, AIM, and GO Chat. The mobile forensics software that we use supports the data parsing of many more apps – too many to list.