4Sight Computer Forensic Services
Main About 4sight Solutions Services Contact
4sight Forensic Solutions


Forensic Imaging
 To preserve the integrity of the data on the suspect computer the following procedure is by far the best;
Switch off the computer (how is another matter)
Remove the hard disk drive and connect it to the imaging computer via a write blocking device (data can only be read from the HDD not written to it)
Take a bit copy of the whole of the HDD usually using one of the recognised forensic imaging tools or if needs must use dd
Repeat in order to achieve 2 copies of the HDD and verify that they are true copies
Power on the suspect computer and establish the date and time settings
Replace the HDD in the computer and ensure that the BIOS can once again identify the disk but do not let Windows begin its startup.
Image Examination
 To examine the forensic image of a HDD the image must be processed in order to recreate the original file system. There exist forensic tools that enable this to be done. Alternatively, the raw image can be mounted as a virtual, read only, volume using Linux. Once processed the contents of the HDD can be viewed as if viewing the original. Files can be examined and extracted and metadata interpreted. Deleted files can be recovered using several techniques including identifying file header information in unallocated space and examination of data contained in the FAT or MFT. Some file systems do not lend themselves to easy file undeletion.
Data Recovery
 Data can become inaccessible for a number of reasons. However, in 90% of cases the data can be easily recovered. Most of these recoveries require the use of speciallist software. At 4sight, the strategy is to conduct a diagnostic examination of the media in order to determine the nature of the inaccessibility. If the data can be recovered during this stage it will be and no further action will be necessary. However, in up to 10% of cases more intricate measures will be necessary such as in the case of hardware failure. Only following the diagnostic phase will we be in a position to estimate the viability of recovery and the likely cost.
©Copyright 2008 4sight-Forensics