From what types of media can data be recovered
and analyzed?
The most common media presented for Forensic Analyis is the hard disk
drive. However, given the proliferation of alternate media storage devices
and attempts of individuals to mask or move data to unsuspected places,
tapes, diskettes, ZIP disks, CD/ROM, CDRW, and flash memory devices
are also possible sources of valuable evidence. It is also important
to note that the incorporation of digital memory storage devices, flash
memory, will allow for the recovery of important data from answering
machines, voicemail systems, digital copier units, pagers, PDAs, mobile
telephones, and many other devices. These facts reinforce the need to
involve technical experts equipped with both forensic skills and the
technical know-how to consider all possible data sources.
Is a computer Forensic Engineering cost-effective?
This is probably the most critical question to ask when contemplating
an in depth analysis of electronic data. With our clients' pocket books
in mind, LWG Consulting approaches computer Forensic Engineering in phases.
The first phase is always the same- to preserve the evidence. This involves
creating a forensic image of the original media in a form that can later
be authenticated. Once evidence is preserved, a preliminary analysis
can be carried out to provide a list of active and deleted files on
the hard drive. Following review of this information, keyword searching
can be carried out, individual files can be extracted for more in depth
review, timeline analysis can be performed, and other Forensic Engineering
services can be accomplished. By approaching the overall analysis in
phases, our clients can keep an eye on the cost effectiveness of the
service from start to finish.
Will passwords or encryption of data prevent the successful analysis of
that data?
Often, password protection and encryption of data can be overcome through
searching the subject media for password/key stores and using this information
to gain access to the data. In the event this direct approach is not
possible, LWG Consulting can utilize various forensic and de-encryption
tools to defeat the obstacle. It should be noted that much like physical
security measures, electronic security could vary in strength. The most
current encryption techniques are very robust and require intense computing
power to overcome. In some instances, these encryption techniques cannot
be overcome.
Does the handling of electronic evidence differ
from other types of physical evidence? How is the chain of custody documented
and protected?
Although there is specific case law applying directly to the submission
and recognition of electronic evidence with the courtroom that differs
somewhat from physical evidence, many of the rules of handling remain
the same. The collection, preservation, and tracking of electronic evidence
are done in a manner so as to preserve the authenticity and admissibility
of said evidence. From the point of engagement between the client and
LWG Consulting all transactions are documented. The exchange of physical
evidence or media is done so using recognized chain of custody documentation.
All material received for analysis is logged and held in secure storage.
All subsequent access to and handling of the media is logged, documented
and done in a forensically sound manner so as to meet the concerns of
future authentication and submission.
