Forensic Collection
The forensic process starts before the collection of evidence. The LightSpeed collection team works with our clients to plan the collection process to ensure the highest degree of success and cost effectiveness while remaining focused on admissibility in court, spoliation of evidence, and independent analysis.
Data Collection/Acquisition
Data Collection/AcquisitionExamination Process:
The steps involved for a computing investigation are summarized in the following brief overview:
- Establish a chain of custody. Be aware at all times where any items related to the investigation are located. Use a safe or cabinet to secure items.
- Maintain the integrity of the original media. The original source of information should not be altered. a exact copy of a hard drive image would be made and that image is authenticated against the original to make sure that it is indeed exact.
- Catalog all information. This includes active, archival, and latent data. Information that has been deleted will be recovered to whatever extent possible. Encrypted information and information that is password protected is identified, as well as anything that indicates attempts to hide or obfuscate data.
- Additional sources of information are obtained, as the circumstances dictate. Firewall logs, Proxy server logs, Kerberos server logs, sign-in sheets, etc.
- The information will be analyzed and interpreted to determine possible evidence. Both exculpatory (they didn’t do it) and inculpatory (they did it) evidence is sought out. If appropriate, encrypted files and password protected files are "cracked."
- Submit a written report to the client with your findings and comments.
- If necessary, provide testimony at a deposition, trial, or other legal proceeding.
