Forensic computer examinations go far beyond normal data recovery techniques and go into areas and files on the media not normally accessed by untrained personnel. These examinations can find the data that the agency or client wants or needs.

Forensic computer examinations are conducted using procedures and protocols that ensure all data that can be found is recovered and presented to the client. A forensic computer examination will ensure that the data found is admissible in court, if necessary.

Examinations:

Use properly prepared and verified, forensically sterile media. This ensures that there is no contamination by viruses', no contamination by previously examined data from another or the same case, and no contamination by other data that could be on the media.

Examines, describes and properly documents the hardware that is the subject of the examination.

Ensures that the original media and data are maintained in their original unaltered state during the examination. This will prevent loss or alteration of the original data and can be used to authenticate the validity of the data recovered. It will also be a sound defense to lawsuits claiming alteration or corruption of the data or operating system. This method usually involves making a bit-stream copy of the original media and verifying the integrity of such copy via hashing algorithm.

Ensures that no unauthorized writes are made to the media by viruses, by "booby trap" defense schemes, by the operating system, by applications that write back to the media to cache data, or by other inadvertent means.

Recovers, unlocks and accesses deleted files, hidden files or data, password protected files and encrypted files. Any means of concealing the data is documented for possible use as evidence later.

Lists all of the files in the directory hierarchy, including recovered files. The name, size, time and date of creation or last modification of each file is documented.

Examines data in unallocated space (space that is not currently in use by files but which may contain data) for relevancy to the investigation or inquiry at hand. Potentially relevant data is recovered, printed or copied to other media (such as read-only CD ROM) and the location where found is documented.

Examines data in file slack (the area within the last cluster of a file that is not being occupied by the file) for relevancy to the investigation or inquiry at hand. Potentially relevant data is recovered, printed or copied to other media (such as read-only CD ROM) and the location where found is documented.

Examines all normal data files individually. Relevant files are printed or copied to other media (such as read-only CD ROM) and the location where found is documented.

If requested, examinations are conducted to determine the author and creation or modification date of particular documents or files, to determine who created particular directories, to determine which computer in an office or location created certain diskettes, and similar comparisons relating to document and file creation, etc.

All media, exhibits and other items of potential evidence are properly secured and tightly controlled to maintain their integrity and chain of custody.

A report is prepared indicating the physical description of the computer and media, the configuration of the equipment, what was found, any attempt to hide data, and other comments that may be relative to the inquiry at hand. The report will explain any technical issues or opinions in a manner that can be easily understood.