Computer forensics is the discipline of analyzing computers and computer data and reporting the facts from that data to attorneys, judges, and juries as part of the litigation process. Forensic examiners must be trained and experienced in order to avoid contaminating the computer data during the examination process. The examiner must also understand how to document the process to provide credibility and validity in court. Finally, and perhaps most importantly, the examiner must be able to explain the facts in plain English so the significance of the findings can be grasped by people unfamiliar with computer technology.

David Rismann Consultants Inc. has been performing computer forensic examinations for six years and has successfully assisted in more than seventy cases. DRC's technicians are professionally certified forensic computer examiners. They have extensive experience with all types of computers and computer media as well as the latest innovations in computer forensic technology. They adhere to the strictest standards in the industry. Furthermore, DRC's forensic examiners have provided effective qualified expert testimony in both state and federal courts.

Forensic computer examinations can include the following:

• Recovery of deleted files and folders

• In most cases, when a file is deleted the data remains intact on the hard disk until the file system decides to overwrite it with data from a new file. We use sophisticated techniques to locate and recover relevant data.

• Metadata analysis from Office documents

• Microsoft Office documents have many data fields bound into them that record characteristics from the document. These data can include the creator of the document, the last then authors, date and time stamps for the document that are independent of the file system date and time stamps, and more. These fields are often useful in evaluating a given document's legitimacy.

• Keyword searches to identify relevant information in both existing files and deleted files

• Keyword searching is a powerful tool allowing the examiner to quickly locate data relevant to the project and produce it for further inspection. Existing and deleted data as well as data in email and file archives can be searched automatically saving time and improving accuracy.

• Email recovery, searching, production

• Whether the email exists in server-based email databases, desktop application databases, text files, or even remnants from browser-based email activity, we have the tools to identify relevant email and produce them for inspection. Platforms supported include:
  
• Microsoft Exchange EDB data stores
• Lotus Notes data stores
• Groupwise data stores
• Outlook PST files
• Standard MBOX archives
• Entourage databases and RGE archives
• and many more

• Database recovery and analysis

• We have conducted examinations involving a wide variety of database formats where important data had to be recovered and produced in an intelligible format. 

• Image and multimedia recovery and production

• We utilize tools that allow us to quickly scan media for images and to segregate those relevant to a particular examination. Even images that have been deleted can often be carved out of the unallocated portions of the disk and recovered.

• Internet browsing history analysis

• Most browsers keep records on the web sites and pages visited. These records can be examined (recovered if deleted) and collated to provide a comprehensive profile of user's web browsing habits. 

• Instant messaging history

• If the instant messaging application was configured to save message history files, they can be recovered and produced. This has been useful in cases where individuals utilized instant messaging applications instead of email applications in order to avoid detection.

• FTP/FXP history

• We are often able to recover log files that show how and when FTP/FXP applications were used to download or update sites.

• Reconstruction of computing activity during certain time periods

• It is often useful to produce a chronological profile of a computer user's activities during a particular time period. These studies can help determine, for example, whether someone was using the computer at a particular moment.

• Analysis of Windows registries

• Windows registries contain all sorts of information about the system, installed applications, computer use, and configuration. Registry keys carry a date and time stamp that can be used to substantiate computer use during a given time period.

• Detection of the use of secure deletion and/or wiping utilities

• Sophisticated users may try to circumvent forensic analysis by using secure deletion or wiping utilities. These utilities overwrite deleted files making them impossible to recover. Many of these utilities leave subtle signatures behind that allow us to determine whether they have been used.

• and more!

We are able to image and analyze almost any type of computer hardware including servers and workstation computers, storage devices (SAN/NAS), RAID arrays, USB drives, memory cards/sticks, cell phones, and PDAs.

If you require the services of a forensic computer examiner, don't trust your case to just anyone. Computer forensics requires specialized training and hands-on experience to be done properly. Failing to follow proper procedures can result in having the data and all conclusions  drawn from them excluded from consideration. Don't take that risk! Call David Rismann Consultants Inc. to discuss your case with a qualified, experienced forensic expert.