Proactive Risk provides mission support for corporations, attorneys, private investigators, and individuals to uncover digital evidence to support criminal and civil investigations. One of the most important aspects of a good digital forensics case is the ability for the evidence to hold up in court. Our digital forensics specialists are specifically trained to function as expert witnesses.
A Digital forensic investigation has five main steps :
|
|
Evidence Acquisition / Collection
This step includes creating forensics image (imaging) of the evidence. This should be done to avoid tampering with the original evidence. The imaging is like copying evidence, however, besides capturing all evidence data, such as files and folders, imaging captures important information, such as metadata and data in unallocated space as well. When it comes to case of hard disk drive, forensic imaging is the process of producing an exact replica by making a bit-for-bit copy of the evidence. Before capturing forensics image, you should attach a write blocker, which is a hardware device, that prevents any modifications to the original evidence.
Verification / Analysis
A hash signature should be created for both the forensic image and the original evidence to verify it is true identical duplicate, Once an image is created. The hash is like a signature, if any trivial modification happens on the evidence, its hash will be changed. Therefore, the investigator should compare the hashes of the forensic image and original evidence to ensure that both hashes are the same. If they are not the same, then the forensic image is not valid and a new identical image should be created. It is advised that multiple copies of the forensic images are made so that if one copy is modified, the investigator may use the other copy.
Preservation
Once a forensic image has been created, the original evidence can be stored in a safe place away from unauthorized individuals. It must be protected from humidity, high temperatures, tampering, and any factors that may alter or harm it.
Analysis/Reporting
The evidence is analyzed to extract artifacts that answers the 5 investigation questions, who, when, what, where and why? They are often referred by six questions including how. In some cases, the analysis results are also used to prove that an incident did not occur, so this is important step in both ways.
Validation
Any results or artifacts found during analysis need to be validate to ensure their soundness. This can be done by computing hash values and replicating analysis procedures. The conducted analysis should be repeatable and reproducible, which means that if another investigator repeats the same analysis step, the same results will be achieved. It is advised to note down minimum 2 type of hash values so that it will not create problem in court.
This step includes creating forensics image (imaging) of the evidence. This should be done to avoid tampering with the original evidence. The imaging is like copying evidence, however, besides capturing all evidence data, such as files and folders, imaging captures important information, such as metadata and data in unallocated space as well. When it comes to case of hard disk drive, forensic imaging is the process of producing an exact replica by making a bit-for-bit copy of the evidence. Before capturing forensics image, you should attach a write blocker, which is a hardware device, that prevents any modifications to the original evidence.
Verification / Analysis
A hash signature should be created for both the forensic image and the original evidence to verify it is true identical duplicate, Once an image is created. The hash is like a signature, if any trivial modification happens on the evidence, its hash will be changed. Therefore, the investigator should compare the hashes of the forensic image and original evidence to ensure that both hashes are the same. If they are not the same, then the forensic image is not valid and a new identical image should be created. It is advised that multiple copies of the forensic images are made so that if one copy is modified, the investigator may use the other copy.
Preservation
Once a forensic image has been created, the original evidence can be stored in a safe place away from unauthorized individuals. It must be protected from humidity, high temperatures, tampering, and any factors that may alter or harm it.
Analysis/Reporting
The evidence is analyzed to extract artifacts that answers the 5 investigation questions, who, when, what, where and why? They are often referred by six questions including how. In some cases, the analysis results are also used to prove that an incident did not occur, so this is important step in both ways.
Validation
Any results or artifacts found during analysis need to be validate to ensure their soundness. This can be done by computing hash values and replicating analysis procedures. The conducted analysis should be repeatable and reproducible, which means that if another investigator repeats the same analysis step, the same results will be achieved. It is advised to note down minimum 2 type of hash values so that it will not create problem in court.
With so many variables with electronic evidence, each project is unique. Our team can help you with Mobile Devices, Wearable, Medical, GPS Devices, Internet Attached Cameras, Cloud Services and more. We encourage you to contact our offices at 973-298-1160 to discuss your unique situation and how we can help.
2021 FINDIT PRICING
The following price list is a general reference.
Description |
Cost |
Media acquisitions at our location (cost of hardware & travel additional) |
$400.00-$500.00 depending on HDD capacity |
Media acquisitions at client’s premises (cost of hardware & travel additional) |
$250.00 per hour (minimum 4 hours) |
iPhone, Android, Blackberry phones, iPad, (logical acquisitions plus report) |
$995.00 per device |
Hourly rate for forensic work (examinations, analysis, reports) |
$250.00 per hour |
Expert witness preparation for testimony |
$350.00 per hour |
Expert witness testimony minimum half day (4 hours) |
$1500.00 flat rate |
Expert Witness testimony daily rate (8 hours) |
$2,500.00 flat rate |
Social Media Capture - FaceBook, Twitter, Instagram, Pinterest, Snapchat etc. |
$995.00 for each account |
Website Capture up to 2000 pages |
$2500.00 |
Website Capture pages 2001 through 10,000 |
+ $950.00 per 1000 pages |
Travel time outside 20-mile radius of remote office |
$125.00 per hour |
Items purchased on behalf of client i.e. hard drives, USB drives etc. |
Cost plus $25% |
Weekends and holidays |
1.5 times the regular rate. |
eDiscovery Platform Data Storage |
$36 per GB per month |
For more information contact us at 973-298-1160 Monday - Friday 10am - 4pm EST.
