Computer Forensic Examinations are necessary when indications of illicit activity are suspected to be found on a computer or any device with memory. It can be useful to a parent worried about what their child is looking at or doing on their computer. It can be useful to attorneys when looking for evidence to either prove or disprove whether something happened. It can be useful to employers that need to know what their employees are doing on company computers. It can get the who, what, why, when and where something happened.

Things we can find are:

1.The timeline of all activity on a computer, including names of files that were deleted, even after the Recycle Bin is emptied. It details when the computer was on or off and can identify past users whose accounts have been deleted. The timeline of activity must be for a short time period and must be specified to keep the timeline managable. This can be helpful for employers and attorneys to establish if a person was using their computer during a given time frame and what they were doing during that time.

2. Complete files of any type: documents, spreadsheets, pictures, databases, QuickBooks, etc. This is the only recovery where the specific user logon of the computer can be identified. For JPEG pictures from digital cameras, we can use face recognition software to quickly identify people if a good picture of that person is available for reference. This also applies to pictures that were recovered using the method in item 3 below.

3. Deleted files where the surface area of the drive they were on has not been overwritten.

4. Unique words, phrases, names of people, businesses or places, telephone numbers, credit card numbers, Internet searches or any other unique lines of text that you provide for us to search for on any drive or in any stream of data. This can find evidence in remnants of files that have been partially overwritten.

5. Remaining bits of partially overwritten pictures on any drive or in any stream of data.

6. GPS (Global Positioning System) data from pictures taken with a smart phone or camera that records GPS data with each picture can be recovered. The date and time as set on the phone or camera is always present as well as the manufacturer and model number of the camera. This data can also be found in file remnants even if the picture is not recoverable. This is useful to find out the physical locations the user(s) have been at, and the times and dates they were there. If the camera can be acquired it may also yield additional data.

7. GPS mapping devices that have been backed up to the computer contain more location data. This data can also be found in file remnants. Should this be present it is very useful to find out the physical locations the user(s) have been at. If the GPS device is available and the data from the device can be acquired it may yield additional information.

8. Facebook data can be found allowing the creation of a list of those people that the user(s) know. This applies only if one or more of the users used Facebook. This data can also be found in file remnants.

9. iPhone data can be backed up using iTunes. If a user has done this, it can yield even more data. If the iPhone can be acquired, it can yield more and newer data.

A stream of data can be acquired from any internal or removable hard drive, solid state drive (SSD), flash or thumb drive, camera memory card, cell phone memory card, GPS device memory card, floppy disk or any other memory that can be physically accessed.

The above streams of data will be acquired using read-only equipment thus preserving the original. This can be done in our lab or at your site, but can take several hours depending on the length of the data stream. If you have any "chain of custody" or "chain of evidence" requirements thought must be given to where this is done. We have the legal paperwork to track this information.

If you can remove a person from a scene during an illicit activity in progress, leaving the computer powered on and untouched we can come to your site and capture a copy of the memory stream of the computer in use. This can be very valuable if the person did not save any evidence to the hard drive or if the hard drive has full disk encryption. You will need to keep moving the mouse slightly to prevent the computer from going to sleep or to a screensaver if an unknown password is being used. Do not shutdown the computer in this situation. Keep the laptop power supply plugged in to prevent any shutdown due to a low battery.

You will need to specify what you are looking for to keep the scope of the search on target. We will work with you to separate relevant files and data in the least amount of time.

We can prepare a report containing the relevant information regarding your situation. These reports are unique and we will work with you on a presentation that will meet your requirements. It is best that this be discussed at the beginning to insure everything required in the report is separated out during the examination of the data to avoid any duplication of work or delays.

It is strongly recommended that you engage our computer forensic examination services through your attorney or private investigator if there is any possibility that the results of the examination ends up in litigation or court; this will help your forensic analysis to be admissible in court. Working through an attorney also provides you with the benefit of the attorney client privilege.

Please call us at 714-222-2140 to discuss your situation.