|
|
ELECTRONIC
FORENSICS INVESTIGATIONS, LLC Forensics
through a different type of microscope |
||||||
|
EFI’s examination cycle |
|
Our examination process integrates
components of the Department of Defense’s intelligence cycle and law
enforcement problem-solving methods into a multi-phase electronic forensics
methodology – Plan, Collect, Process, Analyze/Exploit, Assess, Report, and Disseminate. This process is designed to reduce the
risks associated with technical errors and/or omissions that could jeopardize
a case’s chance at success in court or before an arbitration panel. Our methodology was developed as a means to
not only put us out front when it comes to electronic forensics but also to
provide our clients with confidence in our ability to effectively and
accurately represent them when necessary. Depending on the
scope of the case and the amount of data processed, it may take as little as
a few hours or many days to work through the entire process.
Every examination at EFI is approached from the standpoint that our
findings may at some point be presented before a court. This strategy is necessary to ensure our
clients are prepared in the event it does progress to this stage. |
|
|
|
Every successful business venture begins with proper planning. When it comes to electronic forensics,
EFI’s planning process starts with the initial call or email from a potential
client. If at all possible, we will
need to know exactly what type of service you require, exactly what type of
media we will be dealing with (hard drive, cell phone, flash drive, etc.), and
the nature of the case (criminal, civil, business, etc.). From here we will guide you through our
process for exploiting the stated media and ask you a few more detailed
questions. If you decide our services
are right for you, we will internally develop requirements for meeting your
needs. This process may include – 1)
allocating adequate resources to the project, 2) gathering the proper
hardware and software necessary to complete the project, and 3) make
arrangements to acquire the media. Once arrangements have been made, and we
have received the necessary court orders or consent forms, we will collect
the media. Our examination officially
begins at the point we arrive on-site to acquire those items to be examined
or when they arrive at our office. At
the point we take physical control of the item(s), we will open a chain of
custody log. This log will detail the
specifics for each item and note the physical condition at the time of
custody transfer. Unless being
physically imaged or examined, all evidence in EFI’s custody will be locked
in a secure container with restricted access at all times. Each time an item is removed from or placed
in the container, an entry is entered into the chain of custody log. All entries will always include the date,
time, name, and signature of the individual handling the evidence. This log will remain open until the
evidence is transferred back to the originating entity. We maintain strict adherence to chain of
custody procedures for several reason: ·
Chain of custody is one of the most important aspects
of any collection ·
If 100% accountability cannot be maintained, the
pertinent information retrieved becomes meaningless to the case ·
Improper handling, processing, and/or storage creates
potential for contamination or destruction of evidence ·
Always knowing the location of the media and accounting
for those that have handled the media ensures we can accurately testify to
the authenticity of the recovered data ·
Improper chain of custody procedures is a sign of poor
investigative skills and unprofessional business practices – characteristics
that EFI does not possess Now that we have the evidence in our
custody, we will immediately begin processing the case. For all computer related media, we first acquire
a raw image of the media using forensically sound practices. All images are verified by comparing the
checksum value of the image to the value of the original. At EFI, we protect all original computer
media by using anti-static wrappers to guard against electrostatic discharge
and write-blockers to protect against accidental alteration of data stored on
the original media. When it comes to
electronic forensic examinations, there is not a “one size fits all” package. As a result, we will employ a wide variety
of recovery methods to extract the necessary information from examined
items. These methods range from manual
recovery using legacy operating systems and tools to automated recovery with
properly licensed forensic software applications. Analysis and exploitation is focused on the
scope of the case, so if the court order specifies email messages only, then
we will examine email messages only.
Whatever the case may be, our analysis process is extremely thorough
to ensure evidentiary information is not overlooked. During this phase we conduct a very
detailed examination of the processed contents for items that appear relevant
to the case. This phase focuses such
areas as file content, date and time of file creation and modification, users
associated with file creation, access, and file modification, and physical
storage location of the file. All
items identified as potentially relevant to a case are flagged for further
analysis. ASSESS DATA
RELEVANCE TO THE CASE All recovered
data flagged as potentially relevant during the analysis phase is collated in
an effort to assess its true importance.
This is one of the most crucial parts of the examination process
because 1.
this phase
provides us the opportunity to review the flagged data in greater detail and
begin piecing the puzzle together 2.
examining all
relevant pieces of data together enables us to accurately state the facts
relating to those items recovered 3.
information
gaps are often identified prompting us to revisit the analysis phase in an
effort to recover additional information to assist in better understanding
the relevance of the extracted data 4.
this process
establishes the baseline for preparing a comprehensive report that clearly
articulates our findings, leaving little room for misinterpretation
concerning how the facts of the case may confirm or deny the suspicions that
triggered the electronic investigation
PREPARE A
COMPREHENSIVE REPORT The forensic process is worthless if the
evidentiary information recovered during the examination is not clearly
articulated to our clients. With this
in mind, we will always prepare a detail oriented report highlighting the key
evidentiary items forensically recovered during the examination. When applicable, we will also provide our
professional thoughts/comments concerning the content stored on the media or
device. DISSEMINATE
THE REPORT & MEDIA TO THE CLIENT After the report has been reviewed for
accuracy and completeness, it, along with the original evidence and a copy of
the chain of custody log, will be turned over to the client. The chain of custody log will be closed
upon physical transfer of the evidence and report. At this point, the electronic investigation
will be considered closed, unless future summation is requested. |
|
Copyright
2007-2013. Electronic Forensics
Investigations, LLC. All rights
reserved. |