DataChasers® offers examinations tailored to the needs of the client, based on escalating levels of intensity for each examination.
Level 1: At a basic discovery level, the hard drive is previewed; the original media is accessed, but not imaged (i.e., copied). A significant amount of data may be discovered at this level, and an evaluation of potential evidence determined, especially if defined data is known and requested (such as the recovery of a specific file). However, there are limitations at this level that will be fully explained to the client before continuing. Estimated time to accomplish this task is one day (4 to 10 hours), the variable depends on the demands of the client.
Level 2: The most frequently required type of examination, a standard examination, is more extensive, requiring that a "clone-copy" of the media be created, which is then used for the examination. This focuses on the recovery of specific data (both deleted and active): text, graphics, date codes, etc. Exam time is widely variable, depending primarily on the client's requirements, the applications necessary to extract data, scope of keyword searches, the operating system, the media (e.g., size of the hard drive), and a number of other factors, all of which have a combined impact on the time involved. Estimated time is two days (10 to 20+ hours).
Two of the work stations in our lab. DataChasers has the capability to run multiple forensic machines simultaneously. This allows us to quickly process data from any case, regardless of size or complexity.
Level 3: The most extensive examination is an advanced examination, which includes a full investigation of trace artifacts, latent evidence, slack and unallocated space, and a comparative analysis of the data, date codes, links, a full-and-complete examination and analysis of the media and related corroborative evidence within the computer. This exam is not strictly dependent on specifics from the client, but is and of itself a full and complete investigation. This extent of examination is especially useful when seeking computer evidence that is confirmed from several related areas within the computer. This may provide irrefutable evidence that is then used to corroborate or refute specific allegations. For example, date codes may be linked to specific files, which are linked to hidden artifacts, which are linked to graphics, which are linked to e-mail, etc. Factors to consider include those previously noted plus password protection, hardware configurations, keyword searches, the extent of the report, etc. Estimated time is two to three days (20 to 30+ hours).
NOTE: Industry-standard procedures at all stages of the examination ensure that the original media is unaltered in any manner, thus assuring the integrity of the client's data. The above descriptions are a synopsis of the examination levels. A comprehensive description of each is immediately available via e-mail or fax.
