Forensics & Collection
Forensic Data Collection
In today’s digital world, preserving evidence correctly is of paramount importance to any case. As part of our Plaintiff electronic discovery services, our firm provides you with certified computer examiners and analysts to assist in the expert collection and/or investigation of all types forensic evidence. These include:
Computer and server data
Databases, SharePoint and document management systems
Electronic Health Record systems (e.g. Epic, Cerner, McKesson, etc.)
Online and other cloud data storage sites
Cell phone, tablet and other personal device data
Social media, geolocation and geofencing investigations
Text and chat data
Wearables data (e.g. FitBit)
Vehicle and other device black box data
Recovery of deleted files
And much more …
Computer and server data
Databases, SharePoint and document management systems
Electronic Health Record systems (e.g. Epic, Cerner, McKesson, etc.)
Online and other cloud data storage sites
Cell phone, tablet and other personal device data
Social media, geolocation and geofencing investigations
Text and chat data
Wearables data (e.g. FitBit)
Vehicle and other device black box data
Recovery of deleted files
And much more …
ILS has full computer forensics expertise, including testifying expertise to guide clients in their preservation and collection needs. We cover the full range of evidentiary sources from the traditional workstation / laptop / server environments to newer data sources such as smart phones, tablets, wearables, social media, cloud-based media, website capture, etc. We work consultatively and believe that proper planning is essential to create defensible preservation plans, avoid business interruption and assure that counsel has the evidence needed to meet their clients’ goals. Steps can include:
Data mapping
Custodial interviews
Litigation hold process
Determination of hold in place decisions
Forensic collection from identified sources
Data mapping
Custodial interviews
Litigation hold process
Determination of hold in place decisions
Forensic collection from identified sources
If You Don’t Know Where to Look, You Might Not Know What to Ask
Since our clientele is exclusively Plaintiff, we can participate or help lead your 30(b)(6) deposition process, including testimony to help compel such examination of the IT’s PMK on the corporate side when defense attempts to avoid the process and just provide organization charts and written responses. We will advise you about the propriety of defendant’s proposed collection protocols, which in our experience, tend to reflect another method of narrowing the evidence field to carve away otherwise responsive and often highly relevant documents.ILS is truly global, with resources around the world and the ability to have forensic feet on the street where you need them. However, to help reduce the cost of forensic collection, ILS often utilizes remote collection techniques which enable collection of most data without the need to incur travel expenses. Since much of the cost of forensic collection is waiting for the data to transfer, ILS avoids those invoice bloating charges through our remote collection technology, which enable us to perform multiple collections from our lab where we only charge for the time that the forensic engineer is working on your matter.
Uncovering Hidden Data
What you can’t see can hurt you or help you. Uncovering and tracing hidden data is important to your case. ILS is expert at recovering data that has been deleted, and is often able to recover even “double deleted” emails, (those emails which the user deletes from the application and also from the Recycle Bin). We regularly conduct analysis to determine what has been done with the device, what was deleted and whether it can be recovered.
We also provide overall analysis about what was on the drive with the ability to report on the number and size of each type of file, show the various folder / subfolder organization and much more. When spoliation, fraud or other mischief is indicated, ILS can perform Deep Dive Analysis which probes the byte level reaches of data storage to find evidentiary fragments, examine system metadata to determine user activity and access (see more below), use of wiping software, etc.
We also provide overall analysis about what was on the drive with the ability to report on the number and size of each type of file, show the various folder / subfolder organization and much more. When spoliation, fraud or other mischief is indicated, ILS can perform Deep Dive Analysis which probes the byte level reaches of data storage to find evidentiary fragments, examine system metadata to determine user activity and access (see more below), use of wiping software, etc.
ILS’s investigations of user activity are robust and reflect our investigatory range and acumen. Depending on your case, some or all of the following services may help you uncover hidden evidence:
Email Analytics.This can produce important information about email chain analysis, email custodian analysis and email threads. Review emails as full conversations rather than as fragments that are scattered throughout the data field like pieces of a jigsaw puzzle (and may end up being coded differently by different reviewers based on the partiality of their content). Understand the connections of conversations and locate missing custodians or discover important witnesses.
Metadata retrieval and production. Also known as “data about data,” metadata can be retrieved to discover when and where documents were created, prior past versions of files or emails, and information about users who have access. The printed content of eDocuments is only the tip of the iceberg. Metadata is a wealth of information just waiting to be discovered. ILS will show you how.
Reconstruction of File Activity - A listing in chronological order is assembled depicting the date, time, and location of documents that were accessed and otherwise interacted with the target custodian.
Support for preparation of client witnesses. This includes preparing witnesses for deposition and trial testimony, and using our own experts for Affidavits or testimony, as needed. Uncover the story with ILS created Witness Kits that include all documents related to a case character in easy to understand chronological order. Deposition Preparation Reports present the key documents uncovered by our analytics. When combined with our Issue Building, you’ll be able to evaluate the sufficiency of evidence and probative value for each issue, then applying that knowledge, better understand the additional discovery you will want to seek from your deponents or what additional discovery you may need
Recovery of Active and Deleted File Information - A listing of documents and other files, including files that had been deleted, is assembled, along with their metadata depicting the date the files were created, last accessed, last modified, date deleted, their folder path, and other attributes are assembled into Excel spreadsheets. Recover intact deleted documents and non-email files, as well as double-deleted email messages from email container files, residing on the computers.
USB Device History Reconstruction – Reconstruct USB device information through the creation of an inventory of all USB flash drives and external hard drives that were attached to the computers, along with dates such devices were attached and their serial numbers.
Webmail & IM Chat Log Recovery – Recover and assemble for review web-based email messages and Instant Messaging chat logs sent, received, and/or read.
Internet Activity Reconstruction - Reconstruct the date, time, and URL of websites visited, which are presented as Excel spreadsheets for review.
Perform Keyword Searches - Perform keyword searches of active files, intact deleted files, and deleted fragments of email messages, documents, and other files.
Assess Presence of Anti-Forensic Attempts - Information surrounding if any anti-forensics evidence elimination techniques (data wiping software) were employed to thwart the recovery of deleted documents, email messages, and other files.
Perform Smart Phone Backup Searches – Attempt to locate any smart phone backups that may have saved to target computer. Restoration and investigation of these backups, if they exist would be undertaken adjunct to the primary investigation if included as such, but normally is handled subsequent to the initial protocol.
Trace artifacts – This is data residue left behind by the operating system. We can find these artifacts and evaluate the information found.
Process hidden files – This includes files that are invisible or inaccessible. We can analyze the date codes for each file to see when files were created, modified, last accessed and deleted.
Email Analytics.This can produce important information about email chain analysis, email custodian analysis and email threads. Review emails as full conversations rather than as fragments that are scattered throughout the data field like pieces of a jigsaw puzzle (and may end up being coded differently by different reviewers based on the partiality of their content). Understand the connections of conversations and locate missing custodians or discover important witnesses.
Metadata retrieval and production. Also known as “data about data,” metadata can be retrieved to discover when and where documents were created, prior past versions of files or emails, and information about users who have access. The printed content of eDocuments is only the tip of the iceberg. Metadata is a wealth of information just waiting to be discovered. ILS will show you how.
Reconstruction of File Activity - A listing in chronological order is assembled depicting the date, time, and location of documents that were accessed and otherwise interacted with the target custodian.
Support for preparation of client witnesses. This includes preparing witnesses for deposition and trial testimony, and using our own experts for Affidavits or testimony, as needed. Uncover the story with ILS created Witness Kits that include all documents related to a case character in easy to understand chronological order. Deposition Preparation Reports present the key documents uncovered by our analytics. When combined with our Issue Building, you’ll be able to evaluate the sufficiency of evidence and probative value for each issue, then applying that knowledge, better understand the additional discovery you will want to seek from your deponents or what additional discovery you may need
Recovery of Active and Deleted File Information - A listing of documents and other files, including files that had been deleted, is assembled, along with their metadata depicting the date the files were created, last accessed, last modified, date deleted, their folder path, and other attributes are assembled into Excel spreadsheets. Recover intact deleted documents and non-email files, as well as double-deleted email messages from email container files, residing on the computers.
USB Device History Reconstruction – Reconstruct USB device information through the creation of an inventory of all USB flash drives and external hard drives that were attached to the computers, along with dates such devices were attached and their serial numbers.
Webmail & IM Chat Log Recovery – Recover and assemble for review web-based email messages and Instant Messaging chat logs sent, received, and/or read.
Internet Activity Reconstruction - Reconstruct the date, time, and URL of websites visited, which are presented as Excel spreadsheets for review.
Perform Keyword Searches - Perform keyword searches of active files, intact deleted files, and deleted fragments of email messages, documents, and other files.
Assess Presence of Anti-Forensic Attempts - Information surrounding if any anti-forensics evidence elimination techniques (data wiping software) were employed to thwart the recovery of deleted documents, email messages, and other files.
Perform Smart Phone Backup Searches – Attempt to locate any smart phone backups that may have saved to target computer. Restoration and investigation of these backups, if they exist would be undertaken adjunct to the primary investigation if included as such, but normally is handled subsequent to the initial protocol.
Trace artifacts – This is data residue left behind by the operating system. We can find these artifacts and evaluate the information found.
Process hidden files – This includes files that are invisible or inaccessible. We can analyze the date codes for each file to see when files were created, modified, last accessed and deleted.