Frequently Asked Questions
1. What is computer forensics?
Computer forensics is the use of computer investigation and analysis techniques to identify examine and preserve potential electronic evidence so that it remains admissible in a court of law. It is a process that must be tested and updated continuously to ensure proper results.
2. Who uses computer forensics evidence?
Criminal prosecutors, civil litigators, financial institutions, corporations, insurance companies, law enforcement officials and individuals can and do make use of evidence revealed by computer forensics specialists.
3. What services do you provide?
We provide information collection, extraction and recovery which involves identifying critical information, protecting and preserving the integrity of electronic data during forensic examination from any possible alteration, damage or data corruption, analysis which is often conducted in the lab includes analyzing information which includes revealing the contents of hidden files as well as temporary swap files and presents the overall findings and analysis.
4. Do you conduct analysis directly on original evidence?
No. One of the cardinal rules of computer forensics is “Never work on original evidence”. The best way to conduct analysis is on a duplicate copy of the evidence, as original evidence could be exposed to the risk of contamination. It may be easier to analyse the original but it is not considered “Best Practice” in computer forensics.
Evidence is very fragile and needs to be handled properly or it will be easily destroyed. It could be accidentally modified or destroyed with just one keystroke. During the computer forensic process, the risk of alteration, damage and virus introduction must be eliminated or minimised.
We use a disk imaging tool to make a bit-stream duplicate or forensically sound copy of an original disk. Disk imaging is defined as making a secure, forensically sound copy on media that can retain the data for an extended period.
6. How do I know that there are no data has been changed during computer forensic analysis?
All analysis is done on a forensically sound copy of the original disk. For security purposes, there is a system of internal verification. This is used to ensure that the copied data has not been altered and is in every way the same as the original.
7. Can deleted files be retrieved?
This depends on how long ago they were deleted, and the extent of the computer used in the interim. When a file is deleted, the operating system marks in the file allocation table as available the clusters that the file used to occupy.
Deletion does not in any way destroy or damage the data in the clusters, apart from replacing the first letter of the filename with the Greek letter Sigma. The file has been removed from the index but the forensic investigator can recover it by extracting it straight from the clusters.
The situation becomes more difficult as time passes. After the file has been deleted, the operating system will see the clusters as available for use. The next time a new file is saved onto the disk, there is the danger that the file or part of it, will be stored in the clusters containing the deleted file.
Under certain circumstances, it is still possible to recover some of the old files, even if new files have been saved to the same clusters, because of slack space. For example, a file of 30 kilobytes is removed but remains in the cluster. A new document of 20 kilobytes is then saved to the same cluster. The last ten kilobytes of the original document will still be present in the slack space at the end of the cluster, and can be retrieved.
8. Can I retrieve files from reformatted disks?
Yes, you can. The Format command in Windows or DOS performs a high-level format that does not destroy data. The process simply resets the index so that the operating system sees the disk as empty. The information is still there but the operating system does not know how to retrieve it.
However, low-level formatting of the computer hard disk will destroy all data. Low-level formatting is usually carried out only once by the manufacturer. The Format command in DOS or Windows does not perform a low-level format.
9. My computer has crashed. Can I still retrieve my data?
If the information still exists on the hard drive, we can find it. If the crash was caused by a virus, software malfunction or hardware failure, much if not all of your data may still be on your hard drive. As long as the hard drive itself is in good physical working condition, we can recover the existing data from it.
10. What is the cost of the service?
We charge based on man hour. An average examination or recovery of data generally takes a minimum of one hour, though this varies according to situation. Factors that affect the amount of time required include:
Amount of data to be recovered and analysed (i.e. hard drive size, number of diskettes, etc)
Volume of material,
Attempts at destroying data.
There is no charge for initial consultation. Please contact us for details.
11. Do you provide training? What are the requirements?
We provide basic and intermediate level training for law enforcement agencies only. For more information on our training please contact us.
12. How do I contact NISER for computer forensics services?
Disclaimers and copyright information