MemberWe are a Charter Member of the Cyber Lab Group
Examination Standards|Questions to Ask an Examiner|Our CV|Fees|About Us|Contact Us|Fee Estimate
Who are We?Our Self Paced Training Web SiteThe D.A.V.E. Forensic Examination MachineOur FSUITE Foresnic SoftwareForensic Examination StandardsQuestions to Ask When Selecing a Forensic ExaminerOur Qualifications StatementWhat Do We Charge?Services for AttorneysServices for Private InvestigatorsServices for Corporations or other CompaniesServices for ProsecutorsServices for Law EnforcementSome Theory on Deleted FilesOur Password Recovery ServicesFinding Lost and Hidden DataOur Data Copying ServicesOur Data Conversion ServicesEMAIL Us Why should you consider using forensic computer examinations and a trained forensic examiner? 

Any examination of a computer and the data contained on the media conducted by an untrained person, could result in: 

  • Not finding all of the data
  • Not finding or recovering deleted data
  • Not recovering password protected data
  • Not finding or recovering hidden data
  • A loss or corruption of data
  • The destruction of data
  • A total crash of the computer
  • The inadmissibility of the data
  • A valid lawsuit 
Many software applications keep temporary records, temporary documents and other temporary data that the user is not aware of, and therefore, does not delete, password protect or otherwise try to hide. This data can normally be quickly located and accessed by forensic examiners. 

Windows keeps a swap file that is used when memory resources are low.  This is a dynamic file that grows with use.  This swap file can hold complete files or other data that can significantly help a case. 

Web browsers keep a number of temporary files, including cache and history files that tell where and when web sites were visited and keeps copies of files that were viewed.  These temporary files can be accessed, viewed and copied.  The data contained in these files can be very valuable to a case or investigation. 

The most common method used to hide data is to delete files or format the drive or diskette. Deleting a file or formatting a drive or diskette, does not destroy the data.  An experienced forensic examiner can recover the deleted data and draw expert conclusions as to when, how or why the data was deleted or removed from the media. 

Frequently recovering deleted or formatted data and showing which particular files were deleted or removed is a good indication of culpability or valuable insight into what the person was trying to do at the time of the deletions. 

Determining dates and times of deletion or formatting frequently coincides with actions taken by employers and law enforcement,  i.e. the employee formats his Hard Disk Drive one hour after being accused of selling or using company sensitive data. 

Data that is password protected is usually data that the user does not want others to see or access. Password protected data frequently contains relevant information to the investigation or inquiry at hand. An experienced forensic examiner has the knowledge and equipment to unlock passwords and access the data. 

It is relatively simple to alter an operating system or it's internal commands (i.e., DIR, COPY, TYPE, etc.) to do something other than Boot or display the Directory listing, Copy files or Type files. 

Alterations to the operating system or internal commands are usually made by persons who want to conceal or destroy data that they do not want others to see. This is usually the kind of data that will be important to an investigation or inquiry. 

Simply booting a target or suspect's machine will cause the alteration of certain operating system files.  Although this normally will not cause the alteration of user created files.  This will, arguably, cause the alteration of the original media. 

Simply booting a target or suspect's machine may cause the loss or destruction of data or destructive processes set up by the suspect to occur. Typing an internal command such as, DIR to see what's on the machine, could activate destructive processes. Any or all of the data on the machine could be completely destroyed and the operating system could be made inoperative.
Valid lawsuits could follow if an untrained person looking at the system crashed the machine or destroyed critical data.  An experienced  forensic examiner will not fall into this sort of trap. 

It is also relatively simple to hide files that normal DOS/WINDOWS commands, such as, DIR and other commands cannot find. The hidden file simply will not be displayed, and its contents will not be found or examined.  An untrained person may not know if a file that appears to contain no
data, is corrupted or encrypted or actually contains no data. An untrained person may not know that a file that appears normal, actually contains hidden data. 

Data can be hidden or located in many places on a computer Hard Disk Drive or other media. Untrained persons probably will probably not find the data. 

The use of an untrained person could cause the inadvertent destruction of data, overlook deleted, hidden or encrypted data and could cause inadvertent writes back to and alter the original media. 

Even if the untrained person found relevant data, the data will probably not be legally admissible or unusable. This is because of the untrained person's lack of forensic training and credentials, that the methods used were not forensically sound, and their lack of understanding of the technical
issues involved. 

Law enforcement agencies have been trained in and have used forensic computer examinations for a number of years.   Law enforcement agencies have the only court proven expertise in computer forensics.  You, your company, your firm or your agency can now benefit from our law enforcement training, our considerable experience and expertise. 
 

General Protocol used for Forensic Examinations

Contact us at

(305)453-7862

or


What can Computer Forensics do for Me?|About Us|Our Qualifications|Questions to Ask an Examiner|Prosecutors|Law Enforcement|Lawyers|Private Investigators| Insurance Companies| Unlocking Passwords|Deleted Files| General Protocols|CV|Fees|Our Training|Contact Us|EMAIL Us

Copyright © 2003 Key Computer Service, Inc.