It is said that data is never completely erased from storage media. While this is not quite true, it can be difficult to removed data from a computer Hard Disk drive completely without special tools, machines or software. As a result a wide variety of data can be recovered from the computer Hard Disk Drives. Not that long ago, the size of a Hard Disk Drive ( HDD ) was in the megabyte or 1,000,000 bytes. Now storage is measured in Gigabytes or Billions of characters of data and Terrabytes or Trillions of Characters.

Computers store data on Storage Media which includes:
* Hard Disk Drives
* Floppy Disks
* Backup tapes
* CD Rom disks
* E-prom and Memory chips

*

Because data is easily destroyed, when the data arrives at the lab or is collected in the field, the first priority of the investigator is to preserve integrity of the evidence. Just turning on the machine and allowing the system to boot, will cause irreversable changes to the data.

Specialized equipment and tools are use to make the media essentially Read Only and prevent any alteration of the data stored on the media.

Common data retrieved from Storage Media:

* Internet History files
* What web sites have been visited.
* What files were been downloaded.
* Length of visit.
* Records of files printed
* Deleted documents
* Evidence of erasure of data
* Accounting system information

And much more.

Mobile and Cell Phone Forensics Examination can:

1.     Acquire forensically sound phone data without altering the data on the phone.
2.     Correlate data across multiple phones and computers
3.     Analyze:

*          phonebook
*          last dialed numbers
*          missed calls
*          received calls
*          Text Messages / SMS messages
*          Multimedia Messages / MMS Messages
*          photos
*          files
*          Data files
*          phone details
*          calendar
*          notes
*          Alarms
*          tasks
*          and more.

4.     Read data directly from the SIM, including deleted data
5.     Correlate data to Cell Provider Records

- Some fax machines and printers can contain exact duplicates of the last several hundred pages sent and/or received.
- Fax machine logs can also tell a story about where faxes were sent and when.
- Faxes sent or received via computer may remain indefinitely on the computer's HDD.
- Larger printers and copiers now have Hard Disk Drives on which the print job is stored prior to printing. Logs of who printed and perhaps copies of the print job may be contained on these Hard Disk Drives.

Many modern digital copiers function as copiers, printers, scanners and fax machines. The information from each of these functions may be stored on internal hard disk drives ( HDD ). This information may be of value as evidence in Civil or Criminal cases. It is possible to retrieve exact copies of documents that have been copied, printed, scanned or faxed from these multi-function machines.

This same information stored on these HDDs can lead to issues with information security and privacy:

* Patient information confidentiality is covered by Health Insurance Portability and Accountability Act (HIPAA).

* Fair Credit Reporting Act (FCRA) which can cover:
- medical records or payments
- residential or tenant history
- check writing history
- employment history
- insurance claims

* Gramm–Leach–Bliley Act (GLB) which covers the disclosure of “Nonpublic Personal Information” by financial institutions.

As well as other federal and state laws.

Erasure of these digital copier HDDs is essential to adhering to state and federal laws.

Modern digital cameras not only write the photo to the data file stored on the Storage Media ( usually memory cards ), but also additional information is stored in what is commonly referred to as 'Exchangeable image file format' data or Exif data. The Exif Metadata can contain a tremendous amount of information includeing: The type of camera, the version of the software on the camera, the resolution, the date and the time of the photo, in some cases the camera actually writes the GPS coordinates to the photo and more. This data is actually stored in the photo so when the photo is copied and moved the Exif Metadata goes with the photo. More sophisticated cameras also have large hard disk drives to store large numbers of digital photos. And therefor may have deleted photos that may be recoverable.

Some of the following and more may be contained in the Exif information:
- Width in Pixels
- Height in Pixels
- Horizontal Resolution
- Vertical Resolution
- Number of colors available for the image from the camera
- Number of frames
- Camera Manufacturer
- Camera Model
- Camera Software version
- Color Representation
- Flash Mode
- Lens focal length
- F-Number or focal length
- Exposure time
- ISO Speed
- Metering Mode
- Light Source
- Exposure Program
- Exposure Compensation
- Date & Time Photo taken ( Camera clock )

- And More!

The following items may be manually updated and also stored inside the photo:
- Author / Photographer
- Title
- Subject
- Keywords
- Comments

Automobile Black Boxes

• Nearly all vehicles with an air bag have a crash recorder or Electronic Data Recorder ( EDR )
• GM was the first to allow access to EDR data
• GM vehicles after model year 1990 became harvestable
• In 2002 Ford followed suit by allowing access to some models
• Other manufacturers also have black boxes capable of recording crash data but have not yet provided the codes needed to interpret the information.
• Certain states have limits over the kinds of data that can be used by Insurance Companies

In August of 2006, The Department of Transportation, National Highway Traffic Safety Administration, published rules related to Event Data Recorders

High tech industry analyst Canalys estimates that global shipments of PNDs (Portable Navigation Devices) or GPS (Global Positioning Systems) reached 8.8 Million Units in Q3 2008 a growth of 14% year-on-year. Indicating the well over 30 million units were sold world wide.

GPS devices can be a good source of forensic evidence. GPS devices now contain much more than navigational information and may contain data more commonly found in cell phones and other portable decices such as audio, video, and text based files including word processing documents and spread sheets.

GPS forensics is the systematic preservation, investigation and analysis of GPS devices for evidence. for supporting evidence of a criminal act or information of interest. The data contained in a GPS system can be used in all kinds of legal proceedings. Civial as well as criminal invstigations are increasingly examining these systems. These devices sometimes are quietly collecting and logging positional data while a crime or act is being carried out. The two most popular manufacturers encountered in the field are: Garmin and TomTom.

Each manufacturer is different and each device has different capabilities. Some devices are also speaker phones linked by Blue Tooth technology to cell phones. Some or all of the following information may be retrieved from GPS devices.

* Location Tracking Logs
* Waypoints
* Routes
* Stored Locations: Home, Office, Favorites, etc
* Recent Addresses Visited
* Call Logs (Missed, Dialed, Received)
* Paired Device History (MAC ID)
* Incoming/Out Going Text or SMS Messages
* Files Including: Videos, Photos and Audio

Electronic devices of all kinds generally have some sort of memory. In many cases we are able to determine what has been done with the device. Each device and the memory in the device is unique. Call us for a free consultation.

Our in depth knowledge of Accounting Systems and Medical Billing Systems makes us the ideal examiner:

* Internal Employee Fraud
* Medical Billing Company Fraud
* Physician & Partner Fraud
* Partner Disputes

We have the expertise to take apart data files and determine what has happened inside and outside the system.

Text Here

People tend to write things in email that they would never consider writing in a memorandum or letter. They believe that e-mail is transient and temporary when, in fact, it can be around for eternity in the records of Government agencies and libraries. Email is often backed up on tapes that are generally kept for months or years.

When e-mail is send from John's computer using his mail account:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it and it is read on Jane's computer using her email account:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it the e-mail has been stored, even if just temporarily, on at least 4 machines:
- John's office computer where the e-mail was drafted
- the his email system.com's computer system
- the shehasemail.org email system
and finally:
- Janes home computer system where she read the e-mail.

It would not be unusual for it to be stored on many more machines than listed here.

As a result, the text and data contained in the e-mail system may well be retrievable from any of these 4 systems, depending upon the timing of the recovery and the use of the systems that would have the e-mail.

Documents now contain Meta-Data. 'Meta-Data' or 'data about data', found in documents can show who created a document, when and perhaps even where. It can also contain information about changes made to the document and more.

Just like Documents, Spreadsheets contain Meta-Data. 'Meta-Data' or 'data about data', found in spread sheets can show who created the spreadsheet, when and perhaps even where. It can also contain information about changes made to the document and more.

Modern digital cameras not only write the photo to the data file stored on the Storage Media ( usually memory cards ), but also additional information is stored in what is commonly referred to as 'Exchangeable image file format' data or Exif data. The Exif Metadata can contain a tremendous amount of information includeing: The type of camera, the version of the sofware on the camera, the resolution, the date and the time of the photo, in some cases the camera actually writes the GPS coordinates to the photo and more. This data is actually stored in the photo so when the photo is copied and moved the Exif Metadata goes with the photo. More sophisticated cameras also have large hard disk drives to store large numbers of digital photos. And therefor may have deleted photos that may be recoverable.

Some of the following and more may be contained in the Exif information:
- Width in Pixels
- Height in Pixels
- Horizontal Resolution
- Vertical Resolution
- Number of colors available for the image from the camera
- Number of frames
- Camera Manufacturer
- Camera Model
- Camera Software version
- Color Representation
- Flash Mode
- Lens focal length
- F-Number or focal length
- Exposure time
- ISO Speed
- Metering Mode
- Light Source
- Exposure Program
- Exposure Compensation
- Date & Time Photo taken ( Camera clock )

The following items may be manually updated and also stored inside the photo:
- Author / Photographer
- Title
- Subject
- Keywords
- Comments

We have the expertise to take apart data files and determine what has happened inside and outside the system.

Date Created:
The date & time that this file was created on this machine, this would include the date downloaded from the Internet.

Date Accessed:
This is the last date that the file was accessed for reading by the machine or user.

Modification time aka MTIME

A file's modification time represents when the contents of the file was most recently changed. However, because operating systems don't check to see if the file actually changed, it can merely represent the last time that the file was saved by the application that had the file open.

Metadata:
Metadata is “data about data.” Metadata can be attached or associated with various types of  ESI including: Document Files, Photos, Text Messages, Email Messages, as well as physical items such as CDs and DVDs.

Text Here

Text Here

Text Here