Incident Response
24 hours
(915) 544-2034
(888) 544-2034
Digital Forensic Services
- Law Enforcement
- Government
- Private Sector
Incident Response
24 hours
(915) 544-2034
(888) 544-2034
Digital Forensic Services
- Law Enforcement
- Government
- Private Sector
The forensic analysis of digital media or devices can yield a significant amount of information. The analysis may be in support of a criminal investigation or court proceeding, in response to a security breach on a device or network, or as part of an internal investigation for a company or other organization. Some exams are general, seeking to prepare a comprehensive report of what is found on the device. Other exams are more specific and are conducted to affirm or refute a specific allegation or search for evidence of a specific file or behavior.
There are several goals and requirements of a formal digital forensic exam and analysis. These requirements remain the same regardless of why the exam is being performed.
Legal Access and Permission
Before any process is started our personnel verify the legality of the examination. We must have permission from the owner of the device or media for a commercial or private examination to begin. For a law enforcement or regulatory support activity we must have a statement from the lead investigator that the device was acquired legally and is being processed as part of a legal investigation.
Forensically Sound Practices
All procedures must be performed using tools and processes which prevent the alteration of the original media. Practically speaking this means using write blockers, performing all examination on images of the original media, and using hash tests to validate images before and after the examination. Any deviations from these procedures are documented.
Chain of Custody
The chain of custody for all devices, media and images needs to be maintained and documented. Each time an item is handled or custody is transferred it must be documented. Care is taken to prevent unauthorized access to or modification of any item being processed. All items are stored in a secure location.
Comprehensive Analysis
During the course of the examination we will cover all areas needed to meet the goals of the examination. This may include examining active data, archival data and latent or hidden data. We may check for file access or modification times, internet activity times, or reconstruct chat or email conversations. Recovered data may include files or emails that have been damaged, deleted, hidden or altered. Our process may require us to bypass or crack file passwords or determine logon names for visited web sites. We have the tools and the training to make sure that all the bases are covered.
Proven Tools & Methods, Reproducible Results
All tools and methods, including forensic software and hardware, are proven as to their technical and/or scientific viability. All results can be reproduced by other examiners using the same or different tools and methods. The results of the exam should not be dependant on the exam process.
Reporting
The results of any examination are reported in full. All findings within the scope of the examination are included in the report. Any opinion or conclusions drawn based on the examination are presented as such and are separated from the factual findings.
At NTC Forensics we recognize that each situation is different. What stays the same is our commitment to use best practices throughout the forensic examination and reporting process. Contact us at (915) 544-2034 for more information.
