Forensic Investigations and Data Recovery

Data Recovery

We can recover data from the following devices:

  • Desktop hard drives (any interface including IDE, SATA, SCSI, SAS and Fibre Channel)
  • Laptop Hard Drives
  • RAID Arrays (RAID Levels 0, 1, 5, 6 and other striping methods)
  • Flash Drives (including USB memory sticks, digital camera memory cards, etc…)
  • Tapes
Data recovery in some cases is just a matter of recovering a few pictures or documents. In some cases its a matter of duplicating the entire drive onto a new drive and then fixing the corrupted files (for example your computer suddenly fails to boot and we discover its because the drive is failing). Other cases people have a virus and just want to back up their data before they start the process of removing the virus, sort of a safety net per say. Whatever your need or concerns we will address them up front before we start any work and will do our best to recover 100% of the information you require.

Free estimates are always given before we start any recovery work on your system or Hard Drive. Using the same forensic methods for your home computer that we do for Fortune 500 companies ensures that we treat your data loss serious. We follow very strict procedures to minimize data loss, corruption, and further damage. We even offer an EXACT duplicate of the data on a new drive (as an option) before we start the recovery process. This is sometimes required in the rule of evidence when the material to be recovered will be presented in court as evidence under the NC General Statues.

Utilizing some very proprietary and very expensive data recovery software/hardware we have in our facility the data recovery process (while time consuming) is just a matter of us taking the drive out of your computer (or Laptop) and mounting it in a special reader we have that can start the recovery process.  The time to recover the data varies wildly depending on the type of data, the size of the drive its on, the severity of the data corruption (if any) and the age of the drive (newer drives are significantly faster). We will let you know all this once we get the drive in our hands and start working on it.

Once we have an idea of the amount of data to be recovered we can then put it on a new drive, a CD/DVD or a flash drive (sometimes called a Thumb Drive). We will advise you based on your situation.

 

What are the signs I might need Data Recovery?

Other than the obvious “Oh no my file(s) are gone! what other signs normal precede data recovery?

  • Repetitive ”clicking noise” coming from your computer is usually a sign of mechanical damage to a hard drive
  • A message stating that the Operating System is not found or Missing Operating System
  • Computer BIOS does not detect a hard drive at startup
  • A completely silent hard drive can mean there is an electrical problem with the drive and needs recovery.
  • Very slow file access often indicates data corruption.
  • Endless loop when trying to boot the system or reoccurring BSOD (Blue Screen of Death)
  • Computer asks to format the drive when it is mounted
  • USB drive or device is not recognized when inserted

 

What should I do if my hard drive fails?

  • If you have signs of a physical failure, do not continue to try to boot the computer or power on the drive. You will only cause further physical damage and possibly make the drive unrecoverable.
  • Do not install over-the-counter data recovery software on a drive with deleted or lost files. You could potentially overwrite the data you are trying to recover.
  • If the data is mission critical, do not try to recover the data yourself!

 

What causes a hard disk or flash drive to fail?

There are hundreds of reasons a hard drive will fail, and as with any mechanical device, it will eventually fail. Failures can be caused by:

  • Wear and tear – Daily use for years and years can and will eventually cause failures.
  • Impact – As portable electronics get smaller and the need for large amounts of data storage continue to grow, many recovery cases we see are caused by dropping or accidentally kick a flash drive while its plugged into the computer.
  • Liquids – coffee spills and other accidental spills seriously harm the electronics of a hard disk or flash drive and in the case of floods the internal components as well.
  • Electrical problems – Power surges and electrical storms can cause damage to external and internal components of storage devices.
  • High Temperatures – Poor ventilation and high operating temperatures can cause pre-mature drive failures.
  • Overwriting – When important system areas of a drive are overwritten, the drive will become unbootable.
  • Logical Failure – Operating system errors, viruses, and accidents can lead to logical file system damage.
  • Manufacturers defect – Some drives are notorious for failures due to firmware bugs or faulty parts. The manufacturer warranties against failure but they will only replace the drive, not the data on it.

It’s also more difficult to completely remove this information than is generally thoug


Computer Forensics

Data RecoveryComputer forensics is the collection, preservation, analysis, and eventually presentation of computer-related evidence. A substantial amount of Information is retained on a computer, more than most people realize. It’s also more difficult to completely remove this information than is generally thought. For these reasons (and many more), computer forensics can often find evidence of, or even completely recover, lost or deleted information, even if it was intentionally deleted. This is useful in cases of computer crime, family Law (cheating spouse, etc) cases involving child pornography, theft of digital information, human resources proceedings, including sexual harassment suits, allegations of discrimination, wrongful termination claims, or any matters that involve the use of computers in the crime(s). Utilizing special forensic tools the investigator can produce evidence used in proving a case against a criminal while preserving the data and following rules of evidence as required in a court of Law.
Typical List of Services Offered:

  • Expert Testimony
  • NIST Compliance Disk Imaging
  • Data Mining and retrieval
  • Recover/Discover Deleted Files(s)
  • Recover/Discover Corrupted File(s).
  • Recover/Discover Chat log(s).
  • Recovery/Discover Internet Browsing History
  • Recover/Discover Email(s).
  • Determine Applications Run, Installed, Deleted or Modified
  • Recover/Discover Password(s).
  • Recover/Discover Registry Entries
  • Recover/Discover Database(s).
  • Recover/Discover Network Access
  • Recover/Discover Specific computer or file access.
  • Evidence Processing

 

Our computer forensic process is based on the following model:

  1. Plan
    Any successful computer forensics investigation begins with a plan. The ability to build and follow targeted workflow guidelines which save time, increase the amount of relevant data, and produce the highest quality results is essential. Our team can work with staff investigators and security personnel to identify and target sources of evidence, gain an understanding of the case, and apply the proper procedures.
  2. Acquire
    Our Forensic Services range from complete computer forensic disk imaging to gathering information from sources (such as servers) in a manner consistent with the Best Practices of the Computer Forensic Guidelines. This ensures the proper chain of custody and admissibility in court.
  3. Extract
    The ability to go beyond the capabilities of computer forensic software tools while maintaining computer forensic soundness is critical to making a case. Our keen understanding of where to look in complex corporate networks, along with our ability to work as unobtrusively as possible, sets us apart from other firms. We are experienced in extracting electronic data from desktop and laptop PCs as well as complicated mail and financial systems.
  4. Analyze
    Even the smallest hard disk drives contain tens of thousands of files. We use advanced techniques, hardware and software tools to isolate only the most relevant electronic data, our clients agree: we deliver results of the highest relevance, and we handle the investigation in the shortest possible amount of time. Having a deep understanding of the underlying technologies makes finding “the smoking gun” – in the least likely places – our specialty.
  5. Report
    Once the analysis is complete, presenting an understandable, defendable, and complete report is key. Our clients find the evidentiary repots easy to understand and extremely precise. The ability to defend the process and testify to the methodologies used makes our experts unrivaled in the field of computer forensics.

Confidentiality and Professionalism:

Confidentiality and professionalism are the cornerstone of our business. All analysis and consulting work is performed at the highest level of forensic scrutiny. We follow all forensic procedures and use only open and verifiable techniques and tools. The methodologies we use are transparent and verifiable. We encourage the Court and opposing sides to dissect our work, because we stand behind its admissibility one hundred percent. Because of this philosophy, we use absolutely no proprietary or “secret” methods when performing our analysis.
What is Imaging:

When producing forensic evidence for the courts, the simple rule is: original is best. This makes perfect sense when dealing with material items that can be examined without having their evidentiary value compromised. However, what should be done about computer data?

Imaging is the industry-accepted standard for the preservation of computer-based evidence. Much different than a simple copy or a backup of your data, imaging is a non-invasive method of producing a complete sector-by-sector copy of an electronic storage device. It is the electronic version of “freezing the scene.” The image can be stored on a durable medium such as a DVD and is used as the working copy for examination and production of evidence.

Imaging of the client’s hard drive(s) is essential for various reasons. The most important purpose is the preservation of the original evidence (client hard drive). During the imaging process, the client hard drive is not altered in any way. In fact, a mathematical algorithm is calculated prior to imaging and again after imaging. These calculations should be identical: an exact copy has been made and the original hard drive has not been tampered with. The imaging process captures all data, including deleted information and data found in unallocated space. Our methods ensure all of the data on a hard drive is retained and recovered.

Hard drive images are also made so that the original hard drive can be placed into evidence. All subsequent data recovery and analysis is then completed on the imaged copy. This method ensures the original is not altered and no data can be deleted accidentally. Many of our clients’ cases do not start out as legal cases but consequently turn into them after our analysis. Having a hard drive that has not been tampered with is absolutely necessary for successful litigation.
Notes for Law Enforcement:

If there is a computer on the premises of a crime scene, the chances are very good that there is valuable evidence on that computer. If the computer and its contents are examined (even if momentary) by anyone other than a trained and experienced computer forensics specialist, the usefulness and credibility of that evidence will be tainted and may be inadmissible in a court of law. If you currently have computer evidence that you have seized as part of an investigation, please contact us. We will gladly provide a short consultation at no charge to your department. More in-depth assistance can range from consultation to hands-on help with all steps of the process.

We are prepared to help you if you experience a hard drive failure and can’t access your data. The first step is for our trained professionals to evaluate the potential causes for drive failure. We are sure to avoid any action that would put your data at further risk. We can usually help our clients get their data back through straightforward remedies. When the hard drive has damage to its internal parts, such as the drive motor or the headstack assembly, we refer the case to Gillware Inc., a highly regarded data recovery lab. Gillware’s trained engineers have access to a clean room environment and will evaluate your drive to provide a cost estimate. Gillware does not charge any fee unless you are satisfied with the recovered data, which you will be able to verify in advance. Hard drive failures are upsetting, and we’re here to give you the best route to data recovery.