Digital Forensic Analysis

Data Recovery and Analysis

Planet Data consultants have the ability to recover data that has either been intentionally or accidentally deleted, moved, hidden, or destroyed. Through the use of specialized forensic techniques and software, deleted files, partial files, fragmented files, all can all be recovered (many times fully recovered) from the recycle bin, unallocated space, slack space, memory dumps, swap files, shadow copies, etc.

If the actual media itself is damaged, it may still be possible to recover data from the damaged drive or piece of media by disassembling the physical media device and performing analysis in a clean room.

Analysis of User Activity

Planet Data consultants have the ability to accurately determine user activity through many forensic techniques and by using specialized forensic tools to perform an analysis in the below outlined categories:

  • Metadata Analysis: Data about data.
  • Deleted Data Analysis: File Carving Content potentially recovering any of the items in this very list.
  • Thumbnails and Thumbnail Cache: Images of files previously located in a directory with TOD.
  • MAC Times Analysis: Modified, Accessed and Deleted Times of Files.
  • Internet History: Sorted by user outlined in registry and profile data, exact times sites were visited, how often, using which browser.
  • Website Cookies: Site tracking.
  • Swap File Analysis: Windows writing active memory to files - These swap files may have full file data included in them that can be carved.
  • Memory Dump files: RAM dumped to disk may have numerous file data outlining user activity.
  • Shadow Copies: Windows creates restore points that save registry and snapshot info of the system at a specific time. These files may contain any item in this list.
  • Email Analysis: PST, OST, Apple Mail, NSF email data and timelines.
  • Cellular System Analysis: All mobile phone data.
  • Call Detail Records: Carrier provided data of a user’s activity.
  • Link Files (Windows Shortcuts): Whenever a file is opened, closed, moved or deleted, these link files tell the tale.
  • Social Media Analysis: Facebook, internet chatrooms, mail, twitter, LinkedIn, all recoverable and telling.
  • Video and Photo Analysis: Either carved or active, content and time of day.
  • File Sharing: What files shared with whom with dates and times.
  • Registry Analysis: Every setting that Windows uses to provide a user his profile experience, account settings, OS install date, which programs are installed, removable media history, user names, passwords, last logon times, recent documents, run lists, typed URLs, wireless connections, network info, IM contacts, etc.
  • DB file Analysis: Database files can contain unlimited amounts of data related to the operating system, application settings, internet data, financial data, apple Mac OS settings (equivalent to windows registry).
  • GPS Devices: Where exactly was an individual and when?
  • Accounting Systems Software: Bank accounts, transactions, dates, and times.
  • Password Recovery and File Decryption --> Decrypt file and evaluate for content.
  • Installed or deleted application analysis: Which applications and for what purpose? When were they run? Installed and uninstalled?
  • Virtual Machine File analysis: Locate and analyze entire virtualized systems that constitute a brand new collection and investigation.
  • Cloud Applications and Files: Data in the Cloud.

Handling Password Protected Files

Planet Data consultants have the ability to recover passwords for protected files, decrypt files through other forensic means, or otherwise bypass passwords altogether for security access to devices, privileged areas or files. We use specialized tools and techniques to form word lists to use in dictionary attacks, utilize rainbow tables, perform various other password attacks (brute force, biological dictionary attacks, utilize registry data and internet history data to crack passwords, etc. All decrypted files are evaluated for content, preserved and added to the case for processing.

Expert Reporting

All data collection and forensic analysis is meticulously documented outlining exactly what was performed, when it was performed, why it was performed, who performed it and what the results were. All collected data has full collection logs with full chain of custody reporting attached for each custodian on each device.

All forensic steps are explained in terms anyone should be able to understand, taking great care not to confuse or flood an audience with unnecessary or extemporaneous data.

Litigation Planning/Preparation

Planet Data consultants have the necessary experience and ability to work with counsel thoroughly and completely, throughout the case, assisting with pretrial motions, meet and confer, depositions, question and answer preparation, technical preparation relating to presentation of evidence in court, opposing expert litigation prep, etc.

Back to Forensic Data Collection