Header

Data Acquisition and Imaging

Data Acquisition

Digital Forensics Lab technicians extract the ESI on laptops, desktops, servers, virtual servers, cellular phones, smart phones, external drives, and other types of electronic media.   They retrieve hidden or encrypted data from networks, hard drives, and electronic sources, while documenting each electronic discovery point in the process.  The data is then compiled into a clear, concise and easy-to-understand written digital forensic report that explains what the data reveals.   Our accredited investigators, with years of experience and knowledge of the legal process, can then use this forensically sound data to testify in court.

The specialists at Digital Forensics Lab are skilled in all operating systems—including Mac OS, Windows and Linux—and start every investigation by examining all of the networks, hard drives  and backup drives on the device.  Our digital forensic process protects hardware, software and data from being compromised during the search.  Our computer forensics experts locate hidden files, decipher encrypted files and break any codes or passwords needed to retrieve information.   We also recover deleted data.

Digital Forensic Lab specialists follow a legally sound computer forensic process while obtaining evidence of any illicit activity.  Each of our licensed specialists has in-depth knowledge and background in hardware architecture, software systems and the legal process. The right forensic evidence gathered in the wrong way can ruin the opportunity of presenting the forensic evidence in court. As electronic data can be a crucial factor in any digital forensic case, proper procedure is essential.

Understanding the electronic discovery of digital forensic evidence in its many forms is a core skill of Digital Forensics Lab experts. Our computer forensic experts have the experience to acquire the ESI on laptops, desktops, servers, virtual serves, cellular phones, smart phones, external drives and other types of electronic media. Acquiring data from a laptop is different than from a virtual drive or from an iPhone. Having the right equipment, knowing how to work with live systems and being able to work quickly and discretely are all skills of Digital Forensics Lab EI technicians.

Data Imaging

Data imaging is focused on recovering “non-spoiled” evidence as support in a negotiation, internal investigation, civil court, or in a criminal court. A critical step in a professional e-investigation is imaging – creating an exact replica of the device and data that are being considered as digital forensic evidence. This is similar to how a physical crime scene would be photographed to collect evidence and leads. The experts at Digital Forensics Lab use well-respected technology, such as EnCase, and standards to ensure that any evidence found will be permissible in a trial situation.

Once the data is obtained, it is duplicated using a write blocking device and our hard drive duplicator, and then we use software imaging tools like EnCase, FTK Imager or FDAS. The media is then verified by the SHA or MD5 hash functions. The Imaging Procedure will vary depending on whether the device is powered on or off, the scenario, scope of case, imaging for “us” or the opposing side, operating system, time constraints, directives in court order, etc. Data imaging has similar steps, which include starting the chain of custody; the recording type, brand, model, serial number of the device and the storage media inside of the device; photographing devices and storage media inside devices; verifying the accuracy of date and time of the device; and verifying the information collected. Each type of ESI source, such as the laptops, desktops, servers, hosted drives, mobile phones, and smart phones, has unique steps in the imaging process.

Laptops:
The laptop imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The forensic image is verified and compared against the original hash value, checked for errors and loaded to check for partitions, file systems, and encryption. The internal calendar and clock of the laptop are noted, and the drive is re-installed back into the laptop.

Desktops:
The desktop imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic images. The number and type of storage devices in the desktop is determined. The hard drive(s) is/are removed from the desktop, and the type, brand, model, serial number of the drive(s) is/are recorded and photographed. The drive is then hooked up to a high-speed forensic imaging device that determines the existence of any hidden areas of hard dive such as DCO or HPA and creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The digital forensic image is verified and compared against a original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and clock of the desktop are noted, and the drive is re-installed back into the desktop.

Servers:
The server hard drive imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic images. The RAID type and configuration is determined with the number and type of storage devices in the server. The hard drives are removed from the server one-at-a-time, and the position, type, brand, model, serial number of each drive is recorded and photographed. One-at-a-time, the drives are then hooked up to a high-speed computer forensic imaging device and a forensically sound bit-by-bit copy of each drive is created to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The digital forensic images are verified and compared against the original hash value, checked for errors and loaded (virtually rebuilding RAID configurations in the forensic software where necessary) to check for partitions, file systems and encryption. The internal calendar and clock of the server are noted, and the drives are re-installed back into the server.

Hosted drives:
The hosted drive imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic images. The type of hosting, hosting environment, server hardware, version of client and server host and the operating system are determined. The most accurate and efficient method of access is determined depending on the hosting environment. Forensic imaging software is run from a hosting account with proper permissions and access for scope of imaging. Forensic imaging software is run on requested data to create a forensically sound copy of the requested files and data with the necessary hash values. The digital forensic images are verified and compared against the original hash values and checked for errors. An appropriate chain of custody is started for the collected data.

Flash drives or other small medium:
The storage device is being removed from a camera, phone or other device and photographed. The type of storage media is determined. The media is removed from the device if necessary, and the type, brand, model, serial number of the media is recorded and photographed. The media is then hooked up to an appropriate hardware write-blocker (via an adapter or a reader if necessary). Forensic imaging software is run to create a forensically sound bit-by-bit copy of the media to a set of forensic image files that contain checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the image of the media. The forensic image is verified and compared against the original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and the clock of the device are noted, and the media is re-installed back into the device if necessary.

Mobile and Smart phones:
The mobile imaging process creates a forensically sound bit-by-bit copy of the drive to a set of forensic images. The phone is examined for the existence of internal storage, flash storage and a SIM card. If a SIM card exists, it is removed and cloned with the exception of provider network information to prevent connection to the provider network, which keeps the phone secure and prevents remote wiping and incoming calls, messages, voice mail, etc., which could overwrite deleted information on the device. Flash storage devices are removed and imaged according to the “Flash drive and small medium” procedure. If the phone does not have a SIM card, it is then placed inside a faraway container, which prevents wireless signals from reaching the phone. The phone is then hooked up to a mobile phone forensic imaging device using an appropriate cable or connection method. The phone is imaged in 1 or more ways depending on the supported access methods, which may include direct access, software query, file system dump or physical imaging. The images are verified and compared against the original hash values, checked for errors and loaded to verify data.

Atypical scenarios can include “hostile imaging” (similar to some of the issues encountered at Noble), physical access issues (such as security or not having proper authorization to areas of hardware that need to be imaged), encryption, employees finding out about the imaging and “forgetting” their company laptops at home that day, unexpected drive types or sizes requiring specialized hardware or software for imaging, slow or older hardware that can significantly increase imaging time, missing hardware, failing drives or media, court orders or other agreements preventing looking at or verifying collected data that is later found out to be invalid, encrypted, having the wrong custodian, etc. after access is granted, and last minute changes that change the scope or hardware needed for the imaging process. The chain of custody is started on the laptop.