When it comes to litigation it is important to take all the proper steps with digital evidence in order to ensure that it is admissible in a court of law. Our forensic investigators can guide you through the proper handling of digital evidence in order to avoid accidentally making changes and thus ruining possible evidence.
1.) Guide you through preserving and obtaining possible evidence for your case.
2.) Point your search in the right direction in order to increase the odds of finding what you need.
3.) Help clarify what can and can't be accomplished through digital forensics.
4.) Help determine the validity of other forensic report's, finding's, and testimony's.
Q: Do you charge for initial consultations?
A: eForensix is driven by the success of its clients. We don’t chase revenue we focus on getting results for our clients. In turn that is what will make us successful. That being said, we want you to succeed.
So if you have question but you are not ready to move forward then call us. We never charge new or existing clients in order to help them go down the right road. Even if you never end up using our services we are confident that you will recommend our company to others because of how we treated you personally.
We take that same approach with law firms. Lawyers are encouraged to call us as many times as they need on all of their cases. We know that even if you don’t use our services on two or more calls, the fact that they continue to call shows them that we are a valuable resource for them that will not cost their clients a penny until they use our services. The end result is that our clients and or potential clients benefit and this is success for all of us.
Q: What does it mean to image a hard drive?
A: Imaging a hard drive means to make an exact duplicate of the entire physical hard drive. However, in order to hold up in a court of law it must be a forensic image. A forensic image is created by forensic software that stores a digital fingerprint of the original hard drive with the forensic image. Every time the forensic image is opened it calculates a digital fingerprint for the forensic image and compares it to the digital fingerprint of the original hard drive. These must match or it means that the contents of the image have changed.
Q: What is the process to image a hard drive?
A: The hard drive is removed from the target computer and attached to a forensic computer via a write-blocker. The write-blocker allows the forensic computer to read the hard drive but does not allow any data writes to the hard drive. Forensic software is then used to read the contents of the hard drive, which is stored in tamper proof evidence files. This process preserves the integrity of potential evidence on the hard drive. eForensix can image hard drives onsite at an attorneys office or in our forensic lab.
Q: What type of cases does eForensix engage?
A: eForensix is involved in civil and criminal cases for both plaintiff and defendant firms. We have been involved in cases addressing unfair competition, trade secret violations, employment issues, divorce, pornography in the workplace, stalking, sexual harassment and hostile work environment.
Q: What operating systems can eForensix image?
A: eForensix can image laptops, desktops and servers that use the Windows, MAC, Linux and Unix operating systems, as well as servers with all levels of RAID configurations. In addition, we can obtain information from most cell phones and PDA’s. However, it is important to call us at the earliest possible time to ensure the integrity of potential evidence. eForensix never charges attorneys for initial calls. Call us immediately at the number below.
Q: Where is Gmail, Hotmail or Yahoo mail stored?
A: All web-based email is stored on the servers that host the mail service. However, since the email is accessed utilizing a web browser, all the messages are cached in the unallocated portions of the hard drive. That means that all of the cached email is recoverable. It is therefore important to take the computer out of service to improve the probability of recovery. Continued use of the computer causes the unallocated portions of the hard drive to be overwritten. When this occurs it will not be recoverable.
Q: What is meta data?
A: Meta data is data located inside files and is not modified by file system activity. As you copy a file from one media to another, file attributes such as the file creation date and file last accessed date changes to the date you copied the file. This occurs because that is when the file was created on that media. However, the meta data located inside the file does not change and often reflects the actual date the file was initially created. Meta data can also include prior revisions, last printed date, author and much more.
Q: How can you determine spoliation of evidence?
A: Individuals who attempt to destroy evidence will use file shredders, which leaves a signature on the hard drive that forensic experts can find. Others who wish to appear less nefarious will delete files, then cause files to be written to the hard drive to overwrite the deleted files and then delete those files. This activity is detectable and can be documented to support the claim of spoliation.
Q: How can you determine a person’s web history?
A: When individuals delete their web history or limit it’s logging, eForensix utilizes scripts to search for web history files and rebuilds them for review. We have found that these files can last up to three years on a hard drive and not be overwritten, unless a shredder has been used on the hard drive.
Q: Can you determine when someone copied files?
A: Yes. Not many people know that Windows Explorer is integrated into Internet Explorer. Therefore, when someone copies a file from the C: drive or a network drive to an external thumb drive, the date, time and file name are stored in the web history logs. We can also tell you where the file was copied from, which may include an individuals network profile.
Q: Can you determine if a thumb drive was utilized?
A: Yes again. We can not only identify that a thumb drive or external hard drive was connected to the computer, in many cases we can also tell you the manufacturer of the drive. In addition, we can also tell you the date and time that drive was connected to the computer. In many cases we have been involved in, this was crucial information in the theft of customer lists by parting employees.