The process of collecting data and media imaging can be tricky.  The most critical factor in this process is preservation of the source data in its pristine format.  Any attempt at collecting data or media imaging that is not done following proper preservation steps and with the necessary equipment, can both disrupt the original data and not create an exact image of the original media.

We have the ability to perform either on-site or in-lab, forensic data collection and media imaging services.  Our collection and media imaging services are performed using with sound forensic methods and industry accepted practices.  This includes utilizing only industry accepted hardware and software for all collection and imaging process.

The collection / imaging process involves all the necessary write-blocking devices and duplication equipment needed to create what is known as a bit-stream image of your media.  A bit-stream copy is an exact “bit-for-bit” copy of your original media. This includes not only normal files, but files that reside in the area know as unallocated space where many deleted files and file fragments can exist.  Furthermore, we can create images in various formats including:

Plus various others.

All images created are verified with the industry standard MD5, SHA1, and/or SHA256 hashes to assure you that you have an exact copy of the source media.

Digital Forensics Analysis

Offline Host Analysis
This is usually the most appropriate method following a breach of an organizational policy, such as theft of intellectual property, use of an organizations assets or resources for illicit or illegal purposes, or system compromise due to malware or a targeted attack. Investigation techniques used include analysis of deleted emails (including those sent using web-based email systems like Hotmail or Gmail) and email attachments; registry analysis covering the use of USB devices; file system analysis incorporating recovery of deleted files; file signature searches and manual file system reviews; timeline analysis; keyword analysis; and a detailed analysis of Internet usage.

Live Host Analysis

This is usually most relevant in situations where it seems likely that evidence is contained inside the system memory, which would become inaccessible if the system is powered down; or if the system in question is so important to an organization that powering it down would create an unacceptable level of disruption.

To seek out malware which is operating at low levels of the operating system and can modify native functions without the knowledge of that operating system, we use the following techniques:

Sandbox Testing

In addition to the off-line analysis of media, CFK investigators are able to carry out ‘behavioral’ analysis. This involves connecting the media to a virtual machine in a virtual environment without being connected to the Internet. This technique is particularly useful in malware investigations where malware will try to call out to command and control infrastructure.

At the end of any digital forensics investigation CFK will provide the client with a thorough report of the incident, signatures of any malware extracted, an assessment of the potential damage sustained in an incident, and recommendations to avoid a potential repetition of the incident.