|
|
|
|
| |
|
Forensic Examination - FAQ's
Please visit our "Contact Us" pages
if
your are in need of further assistance.
|
|
You are viewing Digital Forensics FAQ's:
Additional FAQ pages: General | Training
|
* Click the question to either view or hide response
* Must have Java Enabled browser to view FAQ's
| |
1. What is the process of a typical digital forensic ("e-forensic") examination?
|
Regardless of the task, all examinations begin with submitting our eForensic Request form.
Once a request has been made, an initial consultation is conducted between the client (you) and a member of the PATCtech Staff in order to discuss the best option for you the client. Whether a service provided by PATCtech is your best option or not, you will be provided with guidance towards your best course of action.
Once a client has contracted a service with PATCtech, a typical examination flows as follows:
-
Assessment: Identify the scope of your case and specific tasks required, including all legal matters involved.
-
Acquisition: This is where the physical examination begins and involves the duplication of all data from all necessary hardware.
-
Examination: In this phase the duplicated data is examined using industry standard procedures, with the most advanced tools in the business, and by some of the most experienced examiners you will find.
-
Documentation & Reporting: Results of the examination are compiled in a format that can be used in a Court of Law and are conveyed verbally and in written form to the client in plain English.
-
Follow-Up: The Chief Case Representative assigned to your case will then consult with you on your best course of action to take based on the findings of your examination - this may include, but not limited to, assisting with further examinations, make data service recommendations, and provide e-forensc legal services to name a few.
|
2. What is the difference between digital forensics and electronic discovery ("e-Discovery")?
What service do I need?
|
Though commonly mistaken as one and the same, digital forensics and e-discovery are separate processes. The most basic understanding of the difference can be explained as follows:
- Digital Forensics is commonly referred to as an "autopsy" of a storage device (hard drive, cell phone memory, network and backup storage device etc...) where processes are followed that comply with the legal standards of any type of investigation that produces data required for evidence in a court of law. Furthermore, the scope of a digital forensic examination is different in that it digs deeper into the data to produce things like deleted files, encrypted files, metadata, slack space, file change or deletion information, user activity and more.
- Electronic Discovery on the other hand, in its simplest form, is only the process of data gathering. On one level, we all perform e-discovery every time we search for an old email somebody sent us a month ago. At a larger level, electronic discovery can be the process of keyword searching unformatted and archived files from backup media for the purpose of finding all emails, images and documents pertaining to a particular subject.
If you have one or more devices that you know are all that need examined, then a Forensic Examination of Device(s) is the solution you need. If you know what type of information you're looking for, but don't know what all devices you need to examine, then a Subject eDiscovery & Forensic Examination is the solution you need.
The following chart can guide you in determining the solution that best fits your demands. PATCtech is available for free consultations by phone at 800.365.0119 (M-F 7:30am to 4pm EDT) or by using the General Contact Form.
SCOPE OF CASE |
SOLUTION |
|
Legal discovery and reporting of contents contained within one or more device(s): |
Forensic Examination of Device(s) |
Legal eDiscovery and reporting of all files, electronic communications and media pertaining to a particular subject or person: |
|
Recovery and backup of all data stored on a cell phone - to use in criminal, civil, administrative or personal investigations, or simply to backup or recover data from damage to cell phone: |
|
Certified and guaranteed irreversable deletion of all data contained on one or more devices: |
|
Live monitoring and reporting of active traffic on your privately owned system or network - including bandwidth management for websites, users, and applications: |
|
"Live" preservation of data with managed and monitored backup/restoration for readily available disaster recovery or electronic discovery requests: |
|
Managed preventative maintenance for critical IT services - including managed anti-virus, anti-spyware, anti-spam, server and workstation patching, service pack installation, 24/7 monitoring and more... |
|
Recovery of lost or deleted data from a computer hard drive that has been damaged, formatted, encrypted, or lost in some other fashion: |
Data Recovery *NOTE: This service does not include the same forensic reporting that is included in an "Examination of Device" as listed above. |
Audit of network/data systems to eliminate internal or external threats of data theft or sabotage: |
Network and Data Security Audit |
Save money when adding software and hardware solutions to your existing digital forensics lab. |
|
|
|
3. If we have remote users (webmail, VPN etc.) will their home computers need to be examined?
|
In all types of examinations, the items being examined will be governed by the contract between PATCtech and you the client. PATCtech will make recommendations as to what items need to be examined prior to signing the contract (initial consultation), and continue to make recommendations as the case proceeds. Depending on the purpose of the investigation, remote client devices may or may not need to be examined.
PATCtech is staffed with specialized law enforcement investigators who bring years of experience in examining every type of device, and have investigated virtually every type of crime or client request - hence, we can ensure that you are aware of all necessary items that need examined. |
4. What all devices can you examine?
|
An e-forensic examination can be done on anything that produces and stores digital data. This includes, but is not limited to: cell phones, computers, digital cameras, hard drives, portable memory sticks (flash drives), iPods and other media devices, VOIP systems, servers, network appliances (routers, switches) and wireless devices. Additionally, for a complete subject eDiscovery, PATCtech can assist with online investigations into website usage, blog and forum posts and use of social networks like MySpace, Facebook and YouTube.
As a company, PATCtech can also provide guidance and training on investigations of other types, including the investigation of cell phone records, identity theft investigations, cyber crime investigations, and the technical aspects of crime scene procedures (crime scene photography, fingerprinting, medical forensics, and more...). |
5. Can real time forensic analysis of computer data (a.k.a. "Live Forensics") be uncovered?
|
'Live' data forensics is the next wave in computer forensics. This service lies in the realm of data services, as it is not looking for past events but rather for the collection, storage, monitoring and management of live data on a computer or network.
PATCtech provides full-spectrum solutions that include forensic discovery and recovery of existing digital data, as well as managed data services that provide 'live' data security, data collection, data monitoring and data backup.
View the PATCtech Data Services for more information
|
6. How can you help attorneys with a case?
|
PATCtech can provide attorneys on both sides of the aisle with many services. Examples of services to attorneys include:
- Assist attorneys by conducting e-forensic examinations for the purpose of gathering evidence.
- Provide case consultation in regard to investigative steps required to produce legally accepted data.
- Provide expert witness testimony in support of or to discredit previously conducted procedures outlined in a Court of Law.
View PATCtech Legal Services for more information
|
7. How much will it cost?
|
Preliminary discussions/consultations of case: We welcome discussions over the phone or email prior to any service performed at no cost. To initiate a preliminary discussion or consultation, you may contact us by phone at 800.365.0119, or by completing one of our contact forms.
Cases accepted for service: During the initial consultation a complete scope of the project will be defined. At this point PATCtech will provide a written estimate for Cost of Services (COS) for your review prior to contracting with PATCtech.
Legal Services: Should the results of the forensic Examination be used in a Court of Law, or otherwise become a legal issue, PATC Forensic Technology charges for on-site legal services at $2,500 per day in addition to all actual cost expenses incurred for travel, lodging and incidentals. Click Here for more information about PATCtech Legal Services
Expidited Services: A fee of $1,000 will be charged for any case where final documentation and reporting is required within two (2) weeks from the date services were contracted.
* Hybrid Solutions: When your solution calls for mixed services from PATCtech and the PATCtech Affiliate Network, the standard rate for PATCtech services will be separate from any fees for services performed through the PATCtech Affiliate Network.
|
8. Can you track or monitor user activity on our network?
|
Tracking and monitoring user activity on a computer or network can be accomplished.
Tracking user activity can be accomplished by duplicating data from the devices in question and examining it with forensic utilities. Learn more about Tracking User Activity and other Digital Forensics Services.
Monitoring user activity can be accomplished at many different levels. User activity can be monitored at the individual computer level all the way to network gateway level. Learn more about Monitoring User Activity and other Data Services. |
9. Are there any exigent circumstances that affect the examination?
|
Yes. The following examples outline possible scenarios that would affect the examination:
- If the primary contact of the client contracting the service through PATCtech is no longer affiliated with the contracting company, or is otherwise found to be not affiliated with the contracting company, all current examination processes will cease until a new contract will be made with the contracting company.
- If evidence of a felony crime is found, primarily evidence of crime against a child (i.e., child pornography), all processes will cease, and the contract will be null and void - see privacy and discretion policy for more information.
- Results and findings may at times change the course of legal or administrative investigations and in turn change the scope of the examination. When this occurs, amendments to the existing contract will be made and signed by both parties to insure that both parties have a clear vision of the procedures that must be undertaken.
|
10. Are there any exigent circumstances that I (or Company) may be liable for?
|
Yes. Because PATCtech examiners are licensed law enforcement officerers, they are mandated by law to report when evidence of a felony crime is detected - primarily any crime against a child, including but not limited to, child pornography. We also have the ability to be present with any client who wishes to report their own evidence of a crime, and assist them in an expeditious and professional reporting effort. For further information, view the PATCtech Privacy/Discretion policy. |
11. Why do I need a forensic examiner as opposed to our I.T. person?
|
There are three distinct elements that make a "complete and professional" Digital Forensics Technician: Investigation experience, knowledge of digital forensics procedures, and technical aptitude of the items being examined.
Where an I.T. person may have exemplary technical aptitude of the device being examined, more than not they will inadvertently destroy critical evidence if they don't also possess knowledge of digital forensics. Just as well, a technician who is armed only with digital forensics certifications will damage company productivity and create network down-time as their interests are only in producing data.
Knowledge of digital forensics and technical aptitude are essential skills - but only with the combined skills of an experienced Law Enforcement Investigator do you have a complete Digital Forensics Technician, and thereby a complete Digital Forensics Investigation. The experienced investigator knows what questions need to be asked, what legal guidelines will affect the examination, and can support results of an examination in court by both the technical and legal standards in the industry. |
12. What are the responsibilities of the Chief Case Examiner?
|
Once you have submitted an initial request form, a representative will contact you to discuss your request and make recommendations towards the best course of action. Once you have had your initial consultation, you will also be given the opportunity to speak with our staff of specialists to provide you with further pre-service input on any unique circumstances. This process can be done over an extended period of time for larger projects, and instantly for cases that need immediate or emergency response.
Once you have contracted a service with PATCtech, a Chief Case Representative (CCR) will be assigned to you for the purpose of overseeing any and all processes involved your case. Whether data service, digital forensic examination, or legal service, the CCR will communicate with you directly on all aspects of your case.
One of the most important roles of the CCR is to insure that the results of your examination or other service are portrayed to you in a way that you will know "what to do next" - in other words, what options you have based on the results or findings in your case. As a value added, the CCR will make recommendations based on results of your case for any further forensic service, data service or legal service that will reduce your exposure to litigation. |
13. What makes a procedure “Forensic”?
|
An examination of digital media is "Forensic" in nature when it follows protocols and a chain of custody which allows produced data to be admissible as evidence in a court of law. This is what separates digital forensics from other forms of audits or inspections conducted by I.T. personnel who do not specialize in this type of examination, nor have the experience of a law enforcement investigator to know what data to search for.
A 'complete' and 'Forensic' examination will be conducted by a technician who possesses the specialized skills of eDiscovery and Digital Forensics required for this type of task, as well as have a solid background in investigations that only an experienced law enforcement officer can obtain. A technician with these qualifications can ensure that the right data ('complete') is prepared using the right procedures ('Forensic').
|
14. What are examples of Digital Forensic examinations and Subject eDiscovery?
15. How long will a typical examination take?
|
This of course depends on the size and scope of the project.
The examination portion itself for a standard hard drive, for example, can be accomplished usually within a 24 hour period. Exceptions and other factors that will affect the project completion time are as follows:
- Amount of memory (RAM or ROM) on the device;
- Number of devices being examined;
- The variance in types of devices that need examined when multiple devices fall within the scope of the case;
- Passwords, Encryption and other data security hurdles that must be overcome;
- Extenuating circumstances - i.e., delays in evidence shipment or travel delays when on-site examinations are required;
The number one factor that will affect the time required for completion is the scope of the project. For example, a fairly accurate completion date can be estimated prior to an examination when a client simply requests that PATCtech "examine this hard drive." (see Forensic Examination of Device(s)) Alternatively, when a client knows what they are looking for, but does not know what all items / equipment fall into the scope of the case, then the case will take the form of an investigation as opposed to a standard examination. The difference being that instead of the client requesting to "examine this device," they request that we, for example, "examine all necessary devices that may contain communications involving proprietary data or trade secrets" (see Subject eDiscovery & Forensic Examination) - in this example, the scope of the case would assume the discovery of all devices which are capable of transmitting communications (cell phones, remote/home computers, network appliances, chat/IM software, email clients, VOIP data logs, server logs, etc...) in order to know what items / equipment are to be examined.
Prior to contracting any service, a free initial consultation will be conducted in order to identify the complete scope of the project. The scope of the project will be used to provide an estimated Time of Completion.
|
16. How much down time will I suffer during the examination?
|
Like the previous question, this primarily depends on the scope of the project. In all cases, examinations are not conducted directly on the source device, but rather on a cloned image of the device. When devices are sent to us, they can be imediately sent back upon cloning and you can have your device back in your posession while the actual examination is being performed.
For organizations that are requesting on-site examinations and/or subject eDiscovery, all devices to be examined are still cloned and source devices returned in a timely manner. However, "getting back to business" may be limited by extenuating circumstances out of the control of PATCtech. Businesses faced with preservation of evidence orders when faced with litigation, or other court orders need to seek their legal counsel or that of the PATCtech Legal Division to ensure that your daily operations are in compliance with these orders.
Additionally, too often is the case in this industry where examinations are conducted by examiners who lack the experience in legal procedures. All too frequently in situations like this the examination reports the wrong data, does not follow the correct legal procedures, or corrupts important business data. When this happens the business suffers due to extended and costly legal proceedings and business down time. The PATCtech Chief Case Representitive (CCR) as well as PATCtech legal representatives will work in conjunction with your legal counsel to insure that all legal standards and procedures are followed and exceeded from the start.
|
17. ‘I want results to be private…'
|
You are entering into a professional relationship with PATC Forensic Technology. *You (as the "Primary Contact") and your organization (firm, agency, institution, or otherwise "entity") alone have access to the results and findings of the examination.
Access to trade secrets and other private information is governed by the contract with PATCtech and legal guidelines assumed with the type of examination being conducted.
* See the PATC Forensic Technology Privacy and Discretion Policy for extenuating circumstances that may result in a legal obligation to disclose information.
|
18. Does PATCtech provide follow up on how to handle the results of a forensic examination?
|
Upon completion of a Digital Forensic Examination, PATCtech will provide a written report that includes legal implications of the findings. PATCtech can provide case consultation, and expert witness services if the results of the examination are to be used in a court of law, or otherwise become a legal issue.
Additionally, through the PATC Affiliate Network, we can provide data management recommendations that provide solutions for the storage and archiving compliance issues regularly associated with litigation.
|
|
|
|
|
|
|
| |
|
|
|
|
