Data Acquisition
Powerhouse Forensics technicians have the electronic discovery and computer forensics experience to extract the ESI on laptops, desktops, servers, virtual servers, cellular phones, smart phones, external drives, and other types of electronic media.
Powerhouse Forensics specialists not only retrieve hidden or encrypted data from networks, hard drives, and electronic sources but also document every point of electronic discovery. This information is then compiled into a written digital forensic report explaining what the data reveals. If you choose to take legal action, our investigators can testify in court with this forensically sound data as accredited investigators with years of experience and knowledge of the legal process.
The specialists at Powerhouse Forensics are well-versed in all operating systems—including Mac OS, Windows, and Linux—and start any investigation by examining all networks, hard drives, and backup drives on the device.
Our digital forensic experts protect all hardware, software, and data from being compromised during the search, electronic discovery of encrypted or hidden files, deciphering and breaking any codes or passwords needed to retrieve information and data recovery of deleted files. We also document every investigation step so that it can be presented clearly to a judge or jury.
It is essential to follow a legally correct computer forensic process while obtaining evidence of any illicit activity. To gather forensic evidence, you need a licensed specialist with knowledge of hardware architecture, software systems, and the legal process. The right forensic evidence gathered in the wrong way can ruin the chances of presenting the forensic evidence in court. As electronic data can be a crucial factor in any digital forensic case, the proper procedure is essential.
Understanding the electronic discovery of digital forensic evidence in its many forms is a core skill of Powerhouse Forensics experts. Our computer forensic experts have the experience to acquire the ESI on laptops, desktops, servers, virtual servers, cellular phones, smartphones, external drives, and other types of electronic media. Acquiring data from a laptop is different from a virtual drive or an iPhone.
Having the right equipment, knowing how to work with live systems, and working quickly and discretely are all skills of Powerhouse Forensics technicians.
![Hack-like-pro-digital-forensics-using-kali-part-1-tools-forensic-investigator-1280x600[1]](https://powerhouseforensics.com/wp-content/uploads/hack-like-pro-digital-forensics-using-kali-part-1-tools-forensic-investigator-1280x6001-1.jpg "Hack-Like-Pro-Digital-Forensics-Using-Kali-Part-1-Tools-Forensic-Investigator-1280X600[1]")
Laptops:
The laptop imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image and MD5 and SHA1 hash values for the drive image.
The forensic image is verified and compared against the original hash value, checked for errors, and loaded to check for partitions, file systems, and encryption. The internal calendar and clock of the laptop are noted, and the drive is re-installed back into the laptop.
Desktops:
The desktop imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. The number and type of storage devices in the desktop is determined. The hard drive(s) is/are removed from the desktop, and the type, brand, model, serial number of the drive(s) is/are recorded and photographed. The drive is then hooked up to a high-speed forensic imaging device which determines existence of any hidden areas of hard dive such as DCO or HPA and creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The digital forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and clock of the desktop are noted and the drive is re-installed back into the desktop.
![Computer-forensics2[1]](https://powerhouseforensics.com/wp-content/uploads/bb-plugin/cache/computer-forensics21-square-d8cb337ef0cda52aebef96400ba1db97-axu28rd1nq34.jpg "Computer-Forensics2[1]")
Servers:
The server hard drive imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic images. The RAID type and configuration are determined by the server's number and type of storage devices. The hard drives are removed from the server one at a time, and each drive's position, type, brand, model, and serial number are recorded and photographed.
One at a time, the drives are then hooked up to a high-speed computer forensic imaging device, and a forensically sound bit-by-bit copy of each drive is created to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image.
The digital forensic images are verified and compared against the original hash value, checked for errors, and loaded (virtually rebuilding RAID configurations in the forensic software where necessary) to check for partitions, file systems, and encryption. The internal calendar and clock of the server are noted, and the drives are re-installed back into the server.
Hosted drives:
The hosted drive imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic images. Determine the type of hosting, hosting environment, server hardware, client and server host version, and operating system.
The most accurate and efficient access method is determined depending on the hosting environment. Forensic imaging software is run from a hosting account with proper permissions and access for the scope of imaging.
Forensic imaging software is run on requested data to create a forensically sound copy of the requested files and data with necessary hash values. The digital forensic images are verified and compared against the original hash values, and checked for errors. An appropriate chain of custody is started for the collected data.
Flash drives or other small medium:
If the storage device is being removed from the camera, phone or another device) and photograph. The type of storage media is determined. The media is removed from the device if necessary, and the media's type, brand, model, and serial number are recorded and photographed. The media is then hooked to an appropriate hardware write-blocker (via adapter or reader if necessary).
Forensic imaging software is run to create a forensically sound bit-by-bit copy of the media to a set of forensic image files that contain checksum values throughout the forensic image and MD5 and SHA1 hash values for the image of the media.
The forensic image is verified and compared against the original hash value, checked for errors, and loaded to check for partitions, file systems, and encryption. The internal calendar and clock of the device are noted, and the media is re-installed back into the device if necessary.
Mobile and Smart phones:
The mobile imaging process creates a forensically sound bit by bit copy of the drive to a set of forensic images. The phone is examined for existence of internal storage, flash storage and SIM card. If SIM card exists, it is removed and cloned with the exception of provider network information to prevent connection to the provider network which keeps phone secure and prevents remote wiping and prevents incoming calls, messages, voice mail, etc. which could overwrite deleted information on the device. Flash storage devices are removed and imaged according to “Flash drive and small medium” procedure. If the phone does not have a SIM card, it is then placed inside a faraway container which prevents wireless signals from reaching the phone. The phone is then hooked up to a mobile phone forensic imaging device using appropriate cable or connection method. The phone is imaged in 1 or more ways depending on supported access methods which may include direct access, software query, file system dump or physical image. The images are verified and compared against original hash values, checked for errors and loaded to verify data.
Atypical scenarios can include “hostile imaging” (not dissimilar from some of the issues encountered at Noble), physical access issues (such as security or not having proper authorization to areas of hardware needing to be imaged), encryption, employees finding out about imaging and “forgetting” company laptop at home that day, unexpected drive types or sizes requiring specialized hardware or software for imaging, slow or older hardware that can significantly increase imaging time, missing hardware, failing drives or media, court orders or other agreements preventing looking at or verifying collected data that is later found out to be invalid, encrypted, wrong custodian, etc. after access is granted, last minute changes that change the scope or hardware needed for imaging process. Start chain of custody on laptop.
