Our team can forensically and defensibly capture data from any number of sources, including laptops, desktops, workstations, network servers, email servers, cloud environments, RDBMS, RAID arrays, live systems, backup tapes, PDAs, cell phones, Apple systems and phones, CDs/DVDs and third party storage sources, including internet-based services such as Gmail, Hotmail, AIM, ICQ, Yahoo and MSN. Our highly trained forensic examiners create and maintain the substantial documentation accompanying all data collection and analysis projects. They are experienced in testifying in court concerning the adequacy and reliability of their process, helping you defend against spoliation concerns. Additionally, to cut cost on travel expenses, we offer remote data collection services, if fitting for the case, to complement our traditional, onsite collections.
• Certified collection experts with national and international support
• Industry-leading, mirror-imaging technology
• Industry-standard chain-of-custody processes for all evidence
• Comprehensive technical consulting and reporting
• Expert witness testimony
Hardware
As there is not a global solution for forensically acquiring data, we employ an array of different hardware solutions to employ the most effective technology and technique to ensure the legal defensibility of the progress. We utilize hardware-based, write-protect devices to ensure the authenticity of the data, such as Guidance Software’s FastBloc2, Tableau’s Forensic Bridges, and Digital Intelligence’s FireFly. If appropriate, we can also rely upon forensic hard drive acquisition units, such as ICS’s ImageMaster Solo 3 and Solo 4, VoomTech’s HardCopy2 and HardCopy3 and Logicube EchoPlus.
Software
We utilize software tools such as FTK, Helix, F-Response, First Link and Smart to offer our best technology approach that provides defensibility and flexibility. Additionally, we utilize a wide diversity of custom-designed and off-the-shelf products for remote collection, i.e., tools that enable a custodial-level collection by date range and by file type.
Remote Collections
Advanced Discovery’s forensic team provides remote preservation and collections in a forensically sound and defensible manner. The team can remotely collect either a bit-stream image (bit by bit) or conduct a targeted collection for selective files. One Advanced Discovery investigator can search multiple machines simultaneously when collecting remotely. The team will ship a designated number of remote-collection hard drives with USB connections and, when it is the appropriate time to collect the data, the custodian or a company representative will plug in the provided hard drive. Using the designated computer’s internet connectivity, the Advanced Discovery forensic examiner then begins their preservation and collection of the data. At the same time, the computer becomes inoperative for the custodian or any user during this process, insuring the preservation confirmation. This collection occurs over an encrypted connection that is used only for remote viewing. It is important to note that no evidence is transferred over the internet; the internet is only used to allow the forensic examiner to view the computer’s files.
iPhone/App Collections
We use the same tools and techniques that law-enforcement officials employ to ensure the legal defensibility of the process and the trustworthiness of the results. When we acquire data from cell phones, we have the ability to create both logical and physical forensic images, which facilitates the retrieval of active and deleted data, such as text messages and photographs. To ensure the authenticity and thoroughness of our investigative results, we employ an array of software and hardware including, but not limited to, Zdziarski Method, Lantern, Oxygen Forensic, Paraben Device Seizure and SecureView. In regards to Mac-based laptop and desktop computers, we commonly use a certain approach to retrieve forensically contained data that entails removing the hard drives and attaching them to hardware.
To ensure the legal defensibility of collection efforts performed on Mac-based laptops and desktops, we perform formal acquisition, preservation, and verification efforts which are predicated on strict adherence to industry-accepted best practices, United States Department of Justice methodologies and strict legal guidelines. The forensic-acquisition process employs an array of forensic technology recognized by state and federal courts, including hardware- and software-based write-protect devices, the same technology employed by state and federal law enforcement agencies to prevent against writing to, manipulating, or altering data on hard drives. The forensic acquisition process concludes with the generation of a bit-stream copy that is subjected to a mathematical verification process, utilizing an MD5 hash sum for authentication purposes, to demonstrate that the original source of the data was not altered and that a true forensic duplication has been produced.
Live “Hot” Server Collections
As laptops and desktops commonly interact with server-based resources, such as file shares, databases and other server-based applications, our expertise is frequently leveraged to acquire data from such live servers in operation. In doing so, true forensic acquisitions can be performed and the resulting images can be created and verified without having to shut down the servers. Using specialized forensic software that is designed to create logical evidence files, server-based data can be collected without disrupting the normal operation of servers.
Litigation and Testimony
Our senior forensic consultant has provided expert, civil-litigation testimony in the areas of collection, analysis and costs. He has worked with attorneys, corporations and private entities in the proper preservation, acquisition, examination, analysis, recovery and presentation of ESI from computers and other digital sources.
For more information, contact us by salesinfo@advanceddiscovery.com or call (866) 342-DATA.
