Forensic Data Services - Frequently Asked Questions

1. What is computer forensics?

Computer forensics is a process, not a thing. It is the process of acquiring data from computers and other electronic sources; miningthat data for specific information requested by the client; providing the data in a clear concise and understood format.

2. When should computer forensics be used?

The use of computers has become common place throughout our personal and business lives. Almost any type of engagement may benefit from the application of computer forensic skills. If electronic information is important to your assignment, then it is
important to involve computer forensic experts in either obtaining or verifying that you did receive everything you have requested.

3. What is it that you do when you are engaged by a client?

Once engaged, our work will usually proceed in a series of phases. These phases usually take on the following forms:
Planning and preparation
Acquisition
Data preparation, indexing, and cataloging
Key word searches and data mining
Deliverables
Refinements / Additional requests

4. What is the planning and preparation phase?

This is the most important part of the process. We find that, often, this is the part in which the clients or other interested
parties fail to spend any significant amount of time. During this phase, it is important that the acquisition team gain a clear
understanding as to what the case/engagement is about (details are good). In addition, the target systems (computers, PDA’s, cellular phones, fax machines, copiers, etc.), need to be identified and certain details need to be disclosed.

The last component in this phase is that all parties should understand and agree on the scope of work to be preformed. Also, when and what can be expected during the life of the engagement.

5. Can an estimate of time and/or expense be provided during the planning and preparation phase?

Any estimate in this business needs to start with the caveat “if something can go wrong, it will.” Based on this simple but often true
statement, providing any estimate of time and/or expense is not in anyone’s best Interests. When problems arise, the estimates have a
way of making the client unhappy and making the BSS&S computer forensic team miserable.
If a guide is needed, the following can be used:

Cost: All work is on a time and material basis, plus reasonable expenses. We are happy to report progress as we proceed; including periodic reports of how much time has been incurred, so that you or your client can keep track of what is being spent.

Travel: We bill time and expenses relating to travel.

Planning and Preparation: Depending on the size, complexity, and location of the work, this can be accomplished in as little as 2 hours or take as much as a week.

Acquisition: Acquiring a system is fairly straight forward. If we acquire the images on a target site, we bill time for the time we are on site. If we acquire the single image in our lab, the time ranges between 45 minutes and 8 hours depending on the size of the hard drive, antiquity of the drive, issues with the hard drive, and other unforeseen events.

6. What is the Preparation, Indexing and Cataloging phase?

This phase will require a large amount of time but will not incur huge costs to the client. During this phase, the acquired data will be verified for a variety of things, organized, grouped, prepped for indexing and cataloguing, and lastly placed on one of our systems for the indexing and cataloguing stage.

• At this point, all issues and priorities must be known or additional time and cost will be incurred later.

• The indexing and cataloging of an image is an intensive computer process. It requires one computer system to be dedicated full time during this process. This process can take as little as 8 hours or it can take as much as 3 days. Please note that this time is not determined by an individual, it is determined by the number of files, size of the hard drive, and the other issues affecting the acquisition phase. As a general rule, the process takes approximately 1.5 to 2.5 hours per 1 GB of data. (A 40GB hard drive can take between 60 and 100 hours to index and catalogue the image.)

Now the good news, the majority of the time involved in the process is not billed to you, the client. The client will be billed for setup and monitoring for the process; a few hours per image.

7. What is the Key word search and data mining phase?

This phase is where it all comes together. It is also the most time consuming and costly component of the process. The client will work with our computer forensic team to produce a search term - extraction list. This will be our guide during the process. This list will then be applied to each image / index - catalogue. The following items should provide some light on this process:

• Each image / index - catalogue is processed separate from all other images. This means that a 10 term search list being applied to 10images is the equivalent to applying a 100 term search to 1 image. Also keep in mind that there will be some overhead in booting up the 10 drives vs. the time it takes to boot up 1 drive.
• Search terms need to be specific and as relevant as possible. The reason for this is that the search process will apply the specific term to every file and/or space on the image. Consequently, generic or abbreviated terms will result in a large number of false hits.
• A hit can be defined as the search term appearance in either a file or file remnant. In the past, we have seen hits for a single search term to exceed 1 million and we have seen the file count for a single search term to exceed 10 thousand.
• Every hit (false or otherwise) will need to be reviewed and have its relevance determined. In other words, the fewer false hits - the better.
• All of this translates to time. The more specific the terms and instructions for the types of specific data being sought, the fewer false hits will appear and the less time it will take to review the search results.
• In general, one image, having approximately 10 - 15 terms against it, can be searched and the results reviewed in about 12 - 16 hours.

8. What is the Deliverables phase?

This phase is dedicated to extracting and exporting the relevant files from the search phase. Creation of deliverables occurs
as follows:
• Exporting the relevant files to a local directory. This process can be somewhat lengthy, depending on the number of relevant files
associated with each search term. We have seen the export process take any where from 15 minutes to 2 hours per search term. So, a large number of terms and a large number of relevant files can result in a lengthy process.
• Burning the exported relevant files on to media for delivery to the client is the next part of the deliverable process. We have the ability to create CD’s, DVD’s, ZIP, Hard Drives, and Tape. Time to create the deliverable media is relevant to the type of media, the amount of data to be delivered and the number of media to be created.
• The last step in the deliverables process is the quality control checks and mailing.
Each disk is verified as follows:
Each deliverable is produced from a master source disk. The master source disk is verified at the time of creation both electronically and visually. Once produced, each deliverable is verified to the master source disk electronically. Each deliverable is then verified visually by at least two personnel from the BSS&S computer forensic team.

The visual inspection includes the following:

Insuring that the disk is recognized by the test computer(s).
The disk opens and reveals its contents.
Any folder located on the disk opens and files are present.
Random files are selected and then open. ( Important note - this process is limited to Microsoft Word and Excel files only).
Most deliverables are sent via Federal Express for overnight delivery. Local delivery can be handled through a courier or other method.

9. What is an MD5 hash?

An MD5, much like its predecessor the CRC, is a mathematical formula. If this formula is applied to an individual file, group of files, folders or entire drive, it will produce a unique value for those items. This allows for the integrity and uniqueness of the applied items to the formula to be verified.

The analogy concerning the hash is as follows: Statistically speaking, an individual has a greater chance of walking down the street and finding a lottery ticket for tonight’s drawing and being the sole winner of that prize having identified all 7 numbers on the ticket then having a hashed file be modified and upon re-running the formula against the file, the same value is produced.

10. What kinds if databases can you work with?

The type of database is less important then the type of output and the purpose of the output. We have successfully worked with databases ranging from Oracle, Sybase, and SAP to MS Access and several proprietary UNIX, midrange, and mainframe systems. Database questions will need to be addresses on a case by case basis.

11. What kind of cases have you worked on?
We have seen tremendous success over the past few years. The cases we have had the pleasure to work with include:
• Insurance related matters including viatical companies
• Securities (SEC investigations) - Stock holder suits against brokers - Stock holder suits against companies
• Corporate investigations - Fraud - Employee issues - Sarbanes/Oxley - Whistle blower
• FTC actions - Pricing issues - Employment issues
• Receiverships - Bankruptcy - Labor issues
• Debtor / Creditor actions- Investigation in locating missing funds
• Hacking cases - Incident response, Managing the crime scene, locating the source, assisting the government
in catching the bad guy
• Theft of trade secrets
• Destruction of evidence
• Best evidence / correct evidence cases - Did the client actually receive
everything they requested?
• Employee behavior / conduct cases
• Security audit in conjunction with employee/outsider malfeasance

12. Can you work with tapes and if so, what kind?

We can successfully extract information from tapes ranging from mainframes, reel to reel, DLTs, DATs and VHS. We are highly experienced in data extractions from tape and can work on any tape format that is presented to our team. Our success in extracting data from tapes is largely due to our partnership with a tape recovery service that specializes in backup media. A combination of their software paired with our experience has provided strong results for our clients. Their services allow us to extract your data quickly, while protecting the chain of custody. The most significant gain from our partnership with the tape extraction service has been the speed of extraction and the cost savings that is past on directly to our clients.

13. How quickly can you respond and what does that mean?

Our staff understands that the preservation of evidence begins with an immediate or near immediate response. Once a client has decided to engage our services, obtaining the evidence is critical to the on-going investigation. Our staff tries to meet the following response time:

Anywhere in the 48 states in 24 - 48 hours from the time authorized to travel to that site.
Anywhere in the world in 48 - 72 hours from the time authorized to travel to that site.

Our staff travels to the site in the most direct and efficient means possible, with the equipment needed to conduct the investigation. Once on site, our team secures and/or acquires the data from the site. After the data is acquired, it is processes in our state-of-the-art forensic laboratory using the latest hardware and software and most current forensic practices.

Geography of the client or attorneys involved is no longer a problem. Although we may be located in South Florida, we have the ability to provide access to the data for review and discussion via a secure connection on the internet.

Whether you need 1, 10,100 reviewers working through the data, we have the ability to assist you in managing the data and your review process.

14. Once you start a case, how long before we can get some information?

This is a difficult question and the answer is as soon as possible. Once a case is taken on, we will put every available resource to our client’s case and will continue working diligently in providing them the answers and data they need. The following is important to remember :

There are many processes and procedures which are controlled by technology and the data extracted from the target site. We do not control the time or length of the process. It takes what it takes.

Emergencies can and will be handled in an expeditious manner. Unfortunately, we are required to do certain things in a certain order and failure to do this will result in delays later in the engagement.

As with most things, computer forensics takes advantage of a natural momentum that builds through the process. Each case is handled in a similar way and as long as the process is agreed upon and followed, things which appear at first to not be moving will suddenly take off or be completed.

1. What is computer forensics?

2. When should computer forensics be used?

3. What is it that you do when you are engaged by a client?

4. Can you explain the planning and preparation phase?

5. Can an estimate of time and/or expense be provided during the planning and preparation phase?

6. What is the Preparation, Indexing and Cataloging phase?

7. What is the Key word searches and data mining phase?

8. What is the Deliverables phase?

9. What is an MD5 hash?

10. What kinds if databases can you work with?

11. What kind of cases have you worked on?

12. Can you work with tapes and if so, what kind?

13. How quickly can you respond and what does that mean?

14. Once you start a case, how long before we can get some information?