How much does a Computer Forensics Investigation typically cost? Each situation is evaluated on a case by case basis. We work with you to assess your needs on each case, fully discuss your strategy and develop a quote that we can both agree upon. Computer forensic examinations require specialized tools and training and can sometimes be more expensive than traditional computer and IT services. However, the legal and economics consequences for not using a computer forensic examiner when the situation warrants it far outweigh the cost of having the work done with proper digital forensic expertise. Our mission is to provide you with professional concierge computer forensic service; placing your needs first. We will always be honest with pricing.
Why should I use The Digital Forensic Group? Our mission is simple: to provide you with the most professional digital investigative services. You will quickly see that we are not your typical computer service or investigation firm. Everything we do is geared toward your satisfaction. From the way we talk, dress and communicate, expect only the best from us. We are team players and in many instances will work harder than you on your case. Our firm is built on reputation and building lifetime relationships with our clients.
Is a testifying expert witness just a “hired gun?” How much does your testimony cost? Some experts can be hired guns - paid to give an opinion regardless of the facts. If this is what you would like from us, please do not bother to contact us and search for another firm. Our fees are based on forming objective opinions based upon facts. We will not, under any circumstance, jeopardize the reputation of our clients or our firm by issuing anything other than the most thorough, well-documented and honest opinions based upon our experience and the facts presented to us. Our goal is to bring the truth to light in any circumstance. Discerning clients appreciate our honesty and welcome information that ultimately helps them make better decisions on the course of their actions.
Computer forensics, also known as digital forensics, is the practice of identifying, collecting, preserving and analyzing legal evidence from digital media such as computer hard disk drives. Since digital evidence is both fragile and volatile, it requires the attention of a certified specialist to ensure that materials of evidentiary value are effectively isolated and extracted in a scientific manner to withstand the scrutiny of the legal system. The goal of computer forensics is to explain the current state of a digital artifact. These can include a computer system, storage medium (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.
As soon as possible. While CSI and other forensic television shows primarily provide entertainment, they also accurately emphasize that time is critical for an investigation. The longer a computer or digital device is used or awaits inspection, the higher the probability that the digital evidence will be tainted. Even for computers in storage awaiting discovery for trial, the sooner a computer forensic examiner can preserve the valuable data, the greater the chance of recovering important and relevant evidence.
Computer forensic examinations blend science and art. It takes a highly trained professional to extract, preserve and analyze information stored on computers and digital devices and careful thought to analyze the findings. If evidence is not handled and stored properly or not properly reported you run the risk of it not being admitted in a court of law. Forensic is defined as: belonging to, used in, or suitable in a court of law.
Each situation is unique, but it is often possible to recover deleted files with a computer forensic investigation. Most operating systems do not erase the actual data; they erase a pointer to the file so that the file does not appear in the folders or directories. These files can be recovered by a process of undeleting the file by restoring the directory entry. In other cases, if the directory entry is not available then a file can be recovered by using a powerful process called file carving to obtain fragments of files when directory entries are corrupt or missing.
A computer forensic examiner has a powerful toolkit to unlock certain types of password protected files. Depending on the type of file and the speed of the computer, some programs can try hundreds of thousands of passwords per second. However, longer and more complex passwords are more of a challenge to crack.
Deleted emails can be recovered depending on the type of email client (Outlook, Entourage. Thunderbird, etc.) and how the server (Exchange, Lotus Notes) is configured. When emails are deleted from your Inbox there is still a chance that they reside on the server or in other areas of a computer. Computer forensic tools and methods allow for the data extraction and examination of email storage including information that had been previously deleted.
Many modern contact managers (such as Outlook) allow users to maintain contacts, notes and calendars in a single application. These dynamic programs are essentially databases so information in the program can be retrieved by the same computer forensic methods that are used to recover email.
Web-based email programs such as these do offer the ability to recover information even when the computer is not on the Internet. Web browsers (Internet Explorer, Firefox, Chrome, Safari, etc.) store temporary internet files on the computer that can later be retrieved by computer forensics.
Studies have shown that more email is generated every day than phone conversations and paper documents combined. Email continues to be the "smoking gun" in many cases and often provides crucial evidence in many top verdicts. It is highly recommended that legal counsel be well-versed in email and its evidentiary weight to develop proactive strategies of litigation readiness. If you don’t know about it, someone else will find it. The attitude that it “is not my problem” has had serious legal repercussions for countless organizations and legal teams.
Many instant messaging programs create logs and records of conversations that can later be discovery and investigated. A computer forensic examiner has specific software and procedures to recover this type of information so it can be used as electronic evidence to support your case.
If you think your computer or network has been compromised or that time sensitive data may be lost, you should waste no time in seeking professional computer forensic assistance. Computer-based evidence is fragile and data can be erased or changed permanently with a simple keystroke or over a period of time. This can happen without a trace, making an incident response investigator’s job to find the truth much more difficult. The objective of an incident response investigation is to ensure that all evidence is collected and preserved in a secure and forensically sound manner.
If a computer is on or running it is important to collect the information about running programs or applications. When a computer is used or turned off, valuable information will be lost permanently. Also when a computer is turned off, it initiates a set of commands and actions that can change the contents of a hard drive. It is very important when investigating a powered on computer that has been compromised or contains evidence that a live computer forensic examination is performed.
If the system is off - leave it off. A trained computer forensic investigator will use specific methods, tools and procedures to retrieve and preserve critical electronically stored information. By powering on the system you run the risk of changing the data on the computer forever and losing valuable evidence.
Volatile information is considered fragile evidence as it refers to information that is lost after a period of time or when the computer is turned off. Volatile information can reside in the computer’s random access memory (RAM), page cache files or in other areas of the computer. Analysis of this information can yield significant insight into the suspect computer. It is important that an incident response expert collects volatile information before it is lost forever.
Traditional IT departments are very good at what they do but may not have the necessary tools to perform a computer investigation in a forensically sound manner. Organizations can avoid conflicts of interest that arise from using their own IT staff. An outside computer security incident expert should be brought in as soon as possible to work with the IT, legal and/or compliance personnel to offer an outside unbiased perspective. Courts favor use of neutral third-party analysis.
Electronic discovery (“e-discovery”) refers to discovery in civil litigation which deals with Electronically Stored Information. Because of its intangible form, volume, transience and persistence, it is substantially different than paper information. On December 1, 2006, the Federal Rules of Civil Procedure (FRCP) were amended to address electronic discovery by outlining the way electronic evidence is used and admitted in litigation. Examples of the types of information included in e-discovery are: e-mail, instant messaging chats, documents (such as Microsoft Office document files), accounting databases and websites. Also included in e-discovery is "raw computer data" which forensic investigators can review for hidden and deleted evidence.
ESI is an acronym for Electronically Stored Information. The Federal Rules of Civil Procedure defined ESI as: information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software. Judges have ruled that if volatile information (such as RAM) is reasonably accessible it must be retained if litigation is anticipated. It is important that ESI be collected using digital forensic methods by qualified examiners.
Spoliation is the intentional or negligent withholding, hiding, alteration or destruction of evidence relevant to a legal proceeding. It is a criminal act in the United States under Federal law. A party's position in litigation is often impaired by the destruction, alteration or loss of crucial evidence during, and sometimes even before litigation has started. A good e-discovery consultant will work to ensure that electronic data is handled in a forensically sound manner.
Metadata is data about the data. Metadata describes essential aspects of the data (or document) such as the author of the document, the last print time or when the file was created, accessed or modified. Because metadata is fundamentally data, it requires the same forensic scrutiny as any other form of data and often is not visible unless special tools and methods are used.
Computers and technology are important parts of our professional and personal lives. They are used for communication, productivity, entertainment and create digital traces of almost any event. Because of this digital adaptation, it is important to consider computer expert witness testimony as an integral part of any case. It is important to understand that not all electronic evidence is useable. A qualified expert will review the digital evidence for its veracity and merit, and only use the most accurate and pertinent information.
The legal system requires that expert opinions and testimony be made only by qualified individuals. Because of inherit conflicts of interest by using internal IT personnel to review potential evidence; an outside computer forensic expert should be retained to offer an honest and unbiased opinion. All parties in a case should have only the most pertinent and accurate evidence entered into testimony. A qualified computer expert witness should possess relevant technical knowledge and have a sound foundation about the legal process.
If opposing counsel has retained a computer expert witness it is important that any reports or testimony given by the expert undergo proper peer review. It is necessary to test the validity, accuracy and scientific merits of an opposing counsels’ report about computers, networks, email and other digital components. A properly thought out legal strategy will consider not only one’s own facts and evidence brought upon by discovery but a careful scrutiny of any electronic evidence entered by the other side.
Contact us now toll free at 888-683-2396 or 212-232-0215 in the New York City area and have all your computer forensic, incident response, e-discovery and expert witness questions answered immediately by a certified computer forensic expert.
The evidence counts – count on us.
