|
Computer forensic data gathering and storage:
Electronic discovery services to help lawyers identify, acquire,
restore, and analyze electronic data in litigation. We would work in
tandem with additionally assigned companies whom we may be assisting for
this operation or are allocated in physical media (paper based)
collection services.
Prime Dynamics Technology Group, LLC would forensically capture Server
or Workstation hard drive copies onsite in a structured and witnessed
process. Time is of the essence, the more rapidly data is collected the
higher the success rate avoiding tampering and such.
A Place
to start
is the identification of likely sources of relevant information,
including what and whom to target. Once that is identified, immediately
move onto gathering the electronic evidence, while taking care to avoid
spoliation. That means they take care to avoid the destruction,
alteration, or mutilation of evidence to ensure that their work product
withstands scrutiny in all jurisdictions, departments and entities.
All targets will be electronically categorized in a customized
database system which would record many aspects of the target. A
sampling of the information recorded for a PC Workstation would be
location, all users that have logged onto that machine, most recent
active (primary) user, particular machine relocation history, Etc…
This database recording would be performed from on location through the
use of laptop computers and wireless WAN connections.
All targeted machine hard drives would have two forensic copies
(bit by bit images) of its hard drive(s) made onsite, at location. In
the event that a hard drive is not readable immediately onsite within
the mule machine the drive will be documented, sealed and transported to
our office for disaster recovery data collection.
One copy is to be placed back into the computer for the end user to
be able to perform their job. The original and other copy will be
verified, tagged, documented and sealed. Each source and destination
hard drive would have a hash-algorithm calculated. This would in turn be
matched against the source and destinations to insure a perfect match of
data. The source and destination drives would be sealed in evidence bags
with the algorithm documentation and signed chain of custody
documentation.
All recovery and analysis work will be performed on the drive copy
and not the original.
The evidence would be appropriately transported to a designated
safe storage area or lab with appropriate routing and identification
paperwork to facilitate any future analysis.
Detailed daily and weekly reports would be provided to the approved
dispatching entity to assure measurable deliverables are accurately in
place and realized.
Post captures analysis:
Prime Dynamics Technology group, LLC is available for data
searching and analysis at your request.
Using the copy of the original disk(s), the computer forensic
examination will focus on several areas; the free disk space, the file
slack, and the swap files.
Free space is the unused space on the disk, but there will be areas
that hold deleted files that can be recovered. File slack is the unused
space at the end of a file cluster this too may have been previously
used to store files that are now deleted. Swap files are caches used to
store information before it gets written to the hard drive, and they may
contain valuable information.
With the rapidly growing capacity of hard drives it has become
almost physically impossible for a human being to examine all the data
that can be stored on a computer system, Prime Dynamics Technology
Group, LLC as well as other computer forensic consulting firms have
developed in-house software to assist in the examination of evidence.
This software usually takes the form of a text search tool, and the
computer forensic specialist will use a combination of his experience,
background information about the case, deductive reasoning, and common
sense, to devise list of key words as well as specific timeframes of
file creation and modification. This list will be run through the search
tool(s) to locate relevant evidence. This method is popular because it
neatly avoids encroaching on any private or third-party information that
may also be held on the drive. |
