Our mission is to successfully recover your data and we do it using a certified ISO Class 5 Cleanroom environment. We protect data privacy since we specialize in information security and know the value our customers place on it. We recover data from all consumer devices. We also perform specialized business data recovery services for Fortune 500 companies and government agencies.
Some of the methods perform include platter swaps, head stack replacements, reverse imaging, data carving, and file/database rebuilding.
Everyone seems to have a mobile device and most crimes have a digital element to them. When you add Bring Your Own Device (BYOD) to the mix, a whole new mix of problems come about. With this said, we can analyze a plethora of mobile devices.
We are proficient with Parben, FTK MPE, Cellebrite, jailbreaking IOS, rooting Androids and the entire forensic process. We also understand Java and how to reverse engineer and analyze android .apk packages. At this point we do not do "chip off" or JTAG forensics internally, we outsource.
This is related to after the fact; the system is shut down forensics. The probable cause has been tripped; you seize the computer, and make forensically sound copies of the hard drive for further analysis. The interesting thing about data is that once it has been written to a drive, it will ALWAYS be on the drive until overwritten by other data. If you delete a file, there is a possibility of recovering it years later. There are a lot of variables in place here, but if a suspect is breaking policy or the law, there is a good chance there may be artifacts of that activity on the system (computer, tablet, phone, game console, etc…).
META information is the data in a file just after the header (first few bytes) and the meat of the file. Graphics, Office files, and a lot of other files have this META data. For example, a lot of graphics have an extra section of META called EXIF. This is usually inserted into pictures taken from a phone or a camera and some editing applications such as Photoshop. Midrange and higher cameras add serial numbers. Phones with location services can even add the GPS location when the picture was taken. This is prime intel for stalkers and undesirables. This is an example of why one should watch what they post online.
To break it down, data is data… If a suspect downloads illegal pictures or movies, that data is broken up into smaller pieces and transferred to the system. It is then rebuilt for the user to access. If you were to record the network traffic, every file transferred would be able to be rebuilt on any other system. If you are lucky enough to have full packet capture on your network, you can rebuild everything. The simple reality is, most organizations do not want to spend the resources. It is very expensive. Imagine a network of twenty systems each downloading ten gigs in one day. The normal noise of the network along with the download sessions would be well over two hundred gigs. That would then have to be stored for analysis which is where the cost comes in. That is why a most people usually do not log everything. They only log the red flag events.
Network forensics also covers viewing logs from network devices such as routers, intrusion detection systems, firewall, systems, etc… Each computer has a hardware fingerprint (MAC address) and an Internet fingerprint (IP address). These can be traced back in several ways to the owner. The website arin.net or the American Registry for Internet Numbers is a good place to start.
Keeping organizational information assets secure in today's interconnected computing environment is a true challenge that becomes more difficult with each new "e" product and each new intruder tool. Most organizations realize that there is no one solution or panacea for securing systems and data; instead a multi-layered security strategy is required. One of the layers that many organizations are including in their strategy today is the creation of a Computer Security Incident Response Team.
This is related to incident response "live" forensics. The probable cause has been tripped; you go to the system to dump memory, look at processes, and current connections. Memory is extremely volatile, if the system powers down, and can be lost forever.
The interesting thing about data is that once it has been written to a drive, it will ALWAYS be on the drive until overwritten by other data. Almost all of the devices that would be investigated post mortem (computer, tablet, phone, game console, etc…) can also benefit from this as well. It just depends on what you are looking for. If the person has encryption of data at rest or "disk encryption", you may have to capture the memory before shutting down the computer or you will not be able to decrypt the hard drive.