jmac enterprises
computer forensics details

Forensic Examinations

All computer forensic examinations are unique in their purpose and methodology. For the most part, however, computer forensic examinations by JMac are structured as follows:
  1. Acquisition
  2. Search
  3. Recovery
  4. Retrieval
  5. Analysis
  6. Documentation
  7. Testimony/Consultation

Acquisition:

The computer is powered off and all peripherals are disconnected. An auxiliary power source and data cable are attached to the hard drive and a bit-stream mirror-image is taken. Forensic protocol is followed in that no "writes" are made to the original hard drive. The image is transferred to a forensic machine for processsing.

Search:

System, internal hardware and software configurations, and hard disk directory structure are examined for information and leads. If passwords or other obstacles are encountered, they are either decrypted or bypassed. Forensic utilities are loaded into memory and directed to find specific text or patterns located within all data blocks including intact files, erased files, unallocated space, slack space, and cached areas on the hard drive(s). If appropriate, all e-mails are extracted and loaded into a separate forensic application for special processing.

Recovery:

If pertinent data is found to reside within deleted files, they are recovered as completely as possible.

Retrieval:

All significant data blocks are off-loaded to the auxilliary storage device for off site analysis. Data is copied in a manner consistent with established preservation of evidence protocols and with as little disruption to normal course of business as possible.

Analysis:

Information specific to the case is extracted from all data blocks, printed out where appropriate, or converted to appropriate format for easy examination by clients or their representatives.

Documentation:

A comprehensive and professionally bound report is prepared and presented to the client. The report details all aspects of the examination process and the results obtained.

Testimony/Consultation:

If appropriate, a JMac representative will testify as an expert witness to the protocol and results of the exam. In all cases JMac will discuss the results of the examination with the client and offer expert advice as to how to best interpret the result.