877-DATA-EXAM [877-328-2392]
When Your Data Really Matters.

Maintaining Computer Data Integrity

DataChasers® strives to provide the most comprehensive forensic computer examinations possible. By following a few simple guidelines, our computer specialist will be able to insure a complete examination in the least amount of time. With this in mind, we ask you to consider the following suggestions:

If the computer is ON, please leave it on; if it is OFF, leave it off. Each time an operating system boots up it writes to several hundred files, and overwrites data that may be crucial to the investigation. For example, Windows writes to 600-1,500 different files, depending on the number of programs and how the system is configured. Among these is the swap file, which, basically, is an extension (or extended repository) for the hard drive's RAM data. When RAM gets stressed, it shares RAM data in the swap file; RAM zeroes out after the computer is shut down, but the swap file retains the data that was sent to it. This data is retrievable, but if the computer is booted, depending on the configuration, the swap file may be lost.

Please, never allow your personnel to access the computer. This changes the date that files were last accessed and/or written to, stores contaminated data in files that are only accessible by forensic experts, and taints the evidentiary value of all data.

Please do not allow a copy to be made of the hard drive. A forensic copy differs from a Windows or DOS copy, which only copies existing, logical files-not the entire physical hard drive. We use endorsed industry standard tools, specifically designed to make a bit-by-bit copy of the entire physical hard drive, including slack (that data remaining in the unused portion of each sector) and unallocated space (that space not assigned a FAT-File Allocation Table), where much of the needed data resides. All software is licensed for use by our expert examiners, who are certified in its use.

Also, copying to a "clean and formatted" hard drive may seem the correct procedure, but it allows data not related to the case to be read during the forensic examination. This is because formatting does not actually remove data from a hard drive. When new files are simply copied onto the hard drive, what remains in slack space is whatever was on the hard drive before the new files overwrote it. Forensically, we'll be looking at that slack space, which will not be representative of the current user but of whatever was on the hard drive before it was formatted.

Thank you for assisting us by following these simple requests. Your compliance allows us to insure a thorough forensic examination that can be testified to at a later date.