Computer
Forensics 101
There are many steps to a proper forensic
examination as it relates to electronic
media. One of the most important steps is
not altering the original media. In other
words, an examination must be performed by reading
the data from the media without altering it.
This is necessary in order to establish the fact
that data was not planted or altered. In
some circumstances, dependent upon
hardware/software compatibility, this is not
possible. In most circumstances, a 3rd party
organization is asked to provide such services
because that organization can provide an unbiased
examination.
Steps taken during a typical examination
include:
Many times, it is not possible to "turn
over" property because the property may
consist of severs or equipment that cannot be
removed. M2CFG has the ability to acquire
data "on-scene". We have
experience conducting imaging and examination both
on and off-site.
"Imaging" of data is the process of
creating a file that contains the data needed to
perform a forensic examination. Many people
refer to this as a "bit stream" copy or
a "bit by bit" copy. In reality,
it is a duplication of data from one device to
another. It is the digital image that is
used to perform the examination. This
"image" is read-only. This means
that data is read from the image and cannot be
written too. This process prevents the
altering of potential findings.
Verification of the image is performed after
the image has been created. This is a
process of checks that will indicate the
authenticity and integrity of the data that is
contained within the image. In some
instances, bad blocks and sectors on electronic
media can effect the integrity of the image.
These circumstances are documented and only result
in the inability to examine the portion of the
electronic media that is "bad".
Forensic analysis of data contained on
electronic media is performed by qualified and
certified Computer Forensic Analysts.
Analysts must be trained to recognize file
structures and be familiar with specific file
systems in order to perform an examination
accurately. Software is used to access the
imaged data and translate structures into a
readable and understandable format. This
process is performed in such as manner as it does
not alter the original media. In most
circumstances, the original media is not examined
but sometimes it may be necessary.
Proper reporting is necessary in order to fully
understand what was located during the examination
and how it was located. M2CFG analysts have
had years of experience explaining to clients how
and why data exists and how to interpret the
findings. Findings are typically reported
and provided onto interactive CD or DVD disks.
If you need more information about these
processes please contact us.
