Call Now: (800) 713-7670

Data Acquisition And Imaging For Computer Forensics And Electronic Discovery

(281) 456-2474

mccanninvestigations.com

Data Acquisition & Imaging

Data Acquisition

McCann technicians have the electronic discovery and computer forensics experience to extract the ESI on laptops, desktops, servers, virtual servers, cellular phones, smart phones, external drives, and other types of electronic media.

McCann specialists not only retrieve hidden or encrypted data from networks, hard drives, and electronic sources, but also document every point of electronic discovery in the process.

This information is then compiled into a clearly written digital forensic report explaining what the data reveals. If you choose to take legal action, our investigators can testify in court with this forensically sound data as accredited investigators with years of experience and knowledge of the legal process.

»

»

»

mccanninvestigations.com

The specialists at McCann are well-versed in all operating systems—including Mac OS, Windows, and Linux—and start any investigation by examining all networks, hard drives, and backup drives on the device. Our digital forensic experts specialize in protecting all hardware, software, and data from being compromised during the search, electronic discovery of encrypted or hidden files, deciphering and breaking any codes or passwords needed to retrieve information, and data recovery of deleted files.

We also document every step of the investigation so that it can be presented clearly to a judge or jury.

»

»

»

mccanninvestigations.com

It is important to follow a legally correct computer forensic process while obtaining evidence of any illicit activity.

»

To gather forensic evidence, you need a licensed specialist with knowledge of hardware architecture, software systems, and the legal process.

The right forensic evidence gathered in the wrong way can ruin chances of presenting the forensic evidence in court. As electronic data can be a crucial factor in any digital forensic case, proper procedure is essential.

»

»

mccanninvestigations.com

Understanding electronic discovery of digital forensic evidence in its many forms is a core skill of McCann experts.

»

»

»

Our computer forensic experts have the experience to acquire the ESI on laptops, desktops, servers, virtual serves, cellular phones, smart phones, external drives, and other types of electronic media.

Acquiring data from laptop is different than a virtual drive or from an iPhone. Having the right equipment, knowing how to work with live systems, and being able to work quickly and discretely are all skills of McCann investigation technicians.

mccanninvestigations.com

Data Imaging

Data imaging is focused on recovering “non-spoiled” evidence for the purpose of support in negotiation, internal investigation, civil court, or in a criminal court.

A critical step in a professional investigation is imaging, or creating an exact replica of the device and data being considered as digital forensic evidence. This is similar to how a physical crime scene would be photographed to collect evidence and leads.

The experts at McCann use well-respected technology, such as Encase, and standards to ensure that any evidence found will be permissible in a trial situation.

»

»

»

mccanninvestigations.com

Once the data is obtained, it is duplicated using a write blocking device and our hard drive duplicator, and then software imaging tools like Encase, FTK Imager or FDAS step in.

»

»

»

The media is then verified by the SHA or MD5 hash functions. Imaging Procedure will vary depending on if device is powered on or off, scenario, scope of case, imaging for “us” or opposing side, operating system, time constraints, directives in court order, etc. Imaging of data have some similar steps.

These include starting the chain of custody; recording type, brand, model, serial number of device and storage media inside device; photographing devices and storage media inside devices; verifying accuracy of date and time of device; and verifying information collected.

Each type of ESI source, such as laptops, desktops, servers, hosted drives, mobile phones, and smart phones all have unique steps in the imaging process.

»

mccanninvestigations.com

Laptops:11• The laptop imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image.

• The forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems, and encryption. The internal calendar and clock of the laptop are noted, and the drive is re-installed back into the laptop.

mccanninvestigations.com

Desktops:22• The desktop imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. The number and type of storage devices in the desktop is determined.

• The hard drive(s) is/are removed from the desktop, and the type, brand, model, serial number of the drive(s) is/are recorded and photographed.

mccanninvestigations.com

Desktops:22• The drive is then hooked up to a high-speed forensic imaging device which determines existence of any hidden areas of hard dive such as DCO or HPA and creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image.

• The digital forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and clock of the desktop are noted and the drive is re-installed back into the desktop.

mccanninvestigations.com

Servers:33• The server hard drive imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. The RAID type and configuration is determined with the number and type of storage devices in the server.

• The hard drives are removed from the server one-at-a-time, and the position, type, brand, model, serial number of each drive is recorded and photographed.

mccanninvestigations.com

Servers:33• One-at-a-time, the drives are then hooked up to a high-speed computer forensic imaging device and a forensically sound bit-by-bit copy of each drive is created to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image.

• The digital forensic images are verified and compared against original hash value, checked for errors and loaded (virtually rebuilding RAID configurations in the forensic software where necessary) to check for partitions, file systems and encryption. The internal calendar and clock of the server are noted and the drives are re-installed back into the server.

mccanninvestigations.com

Hosted drives:44• The hosted drive imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. Determine type of hosting, hosting environment, server hardware, version of client and server host and operating system.

• The most accurate and efficient method of access is determined depending on hosting environment. Forensic imaging software is run from hosting account with proper permissions and access for scope of imaging.

• Forensic imaging software is run on requested data to create a forensically sound copy of the requested files and data with necessary hash values. The digital forensic images are verified and compared against original hash values, checked for errors. Appropriate chain of custody is started for the collected data.

mccanninvestigations.com

Flash drives or other small medium:55• If storage device is being removed from camera, phone or other device and photograph. The type of storage media is determined. The media is removed from the device if necessary, and the type, brand, model, serial number of the media is recorded and photographed.

• The media is then hooked up to an appropriate hardware write-blocker (via adapter or reader if necessary).

mccanninvestigations.com

Flash drives or other small medium:55• Forensic imaging software is run to create a forensically sound bit-by- bit copy of the media to a set of forensic image files that contain checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the image of the media.

• The forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and clock of the device are noted and the media is re-installed back into the device if necessary.

mccanninvestigations.com

Mobile and Smart phones:66• The mobile imaging process creates a forensically sound bit by bit copy of the drive to a set of forensic images. The phone is examined for existence of internal storage, flash storage and SIM card.

• If SIM card exists, it is removed and cloned with the exception of provider network information to prevent connection to the provider network which keeps phone secure and prevents remote wiping and prevents incoming calls, messages, voice mail, etc. which could overwrite deleted information on the device.

mccanninvestigations.com

Mobile and Smart phones:66• Flash storage devices are removed and imaged according to “Flash drive and small medium” procedure. If the phone does not have a SIM card, it is then placed inside a faraway container which prevents wireless signals from reaching the phone. The phone is then hooked up to a mobile phone forensic imaging device using appropriate cable or connection method.

• The phone is imaged in 1 or more ways depending on supported access methods which may include direct access, software query, file system dump or physical image. The images are verified and compared against original hash values, checked for errors and loaded to verify data.

mccanninvestigations.com

A typical scenarios can include “hostile imaging” (not dissimilar from some of the issues encountered at Noble), physical access issues (such as security or not having proper authorization to areas of hardware needing to be imaged), encryption, employees finding out about imaging and “forgetting” company laptop at home that day, unexpected drive types or sizes requiring specialized hardware or software for imaging, slow or older hardware that can significantly increase imaging time, missing hardware, failing drives or media, court orders or other agreements preventing looking at or verifying collected data that is later found out to be invalid, encrypted, wrong custodian, etc. after access is granted, last minute changes that change the scope or hardware needed for imaging process. Start chain of custody on laptop.

mccanninvestigations.com

mccanninvestigations.com

Headquarters: 5205 Spruce, Houston, TX 77401Call Now (800) 713-7670 or (281) 456-2474

FacebookFacebook TwitterTwitter

Offices: Houston | Dallas | Austin | San Antonio | New York