Forensic Evidence Recovery.
Computer Science Labs recovers forensic evidence from ALL types of digital data storage media. Hard Drives, Laptops, Mobile Phones, CCTV and Wearable technology such as Fitbits. We undertake all work in our state of the art facilities and comply with the recent Forensic Science Regulations and reporting procedures. If you require our services in support of legal matters then please contact our CONFIDENTIAL help desk and ask to speak to the Forensics Department;
0871 231 6806
Evidence Acquisition.In All cases Computer Science Labs (CSL )will require a Chain of Custody (COC) Statement to accompanies any Evidence Exhibit device that is to be considered in legal proceedings in either the criminal or civil courts of law. This document is testimony to the handling of the digital data recording device/s immediately prior to the start of investigation procedures. An investigation can be considered to have started at the point CSL receive a device/exhibit and therefore CSL can be seen to instigate this documentation. The document records the unique references associated with the device such as Make, Model Number and Serial Number and any specific identification marks termed URN’s. Importantly the document records who has physically handled the evidence items and at what precise date and time they accepted and relinquished the evidence items. Items need to be carried and packed in evidence bags and high security facilities with secure and unique lockers.
Forensic Digital Duplication (clone).Computer Science Labs computer and digital forensics data recovery service will make an exact copy of the evidence Exhibits suspect equipment’s storage media e.g. hard disk(s), USB, flash memory, mobile phone etc., as soon as is possible after the equipment or computer has been received at our lab facility. The precise duplicate copy must include ALL the normally accessible files and ALL the sectors of the storage media, even if initially they appear to be empty, such that any deleted data fragments can be recovered. Our processes and procedures militate against contaminating evidence data so that what is produced is an accurate and detailed snapshot immediately prior to seizure. This process is called “forensic imaging” and must be undertaken using correct tools and procedures.
Forensic Records.In all cases and particularly where the actual storage device is faulty or damaged our technicians will record and document each action and the results of each action taken such that there is no opportunity for others to question the technician’s duties. The main hardware product used in data recovery is a “write-protect” device; it is installed along the cable that connects a hard disk , mobile phone or similar medium to a computer and, as the name implies, allows data on the hard disk to be read but blocks all attempts at writing to it. Testimony to these procedures is evident in the records we keep and the continuity and accuracy of he recorded results. The UK criminal justice system demands that these procedures are compliant with the Forensic Science Regulators published recommendations.
Imaging Methods.Computer Science Labs uses a variety of software products and fast hardware imaging to handle the recovery process, eg FTK Imager regarded as “de-facto” in the forensics industry and a part of a broader forensics suite of applications. These products often contain in-built integrity checking, so that an “image file” (intermediate file which either can be directly examined or from which exact clones of the original can be made) can be verified against the original using “digital fingerprinting”.
nb. Not all imaging products can cope with all the disk operating systems that might be encountered and some versions of well-known products may fail to capture everything on a hard disk, which is why competent technicians need to be employed to carry out the work.
Need Assistance CALL: 0871 231 6806
RAID and Network Systems.Computer Science Labs also provide forensic data recovery services involving RAID arrays, Servers, Networked Computer and CCTV installations. These are typically deployed in shared user or input environments and specialist techniques are required when retrieving evidential data.
Evidence.Seized computers will normally be regarded as “real” evidence for admissibility purposes. However, the contents of individual documents (files) found on a computer may need to be admitted separately, particularly if more than one person has had routine access to that computer and each investigator will need to demonstrate that they are “authorized” to access the computers for the purposes of the Computer Misuse Act.
Novel Data Recovery Procedures.Data storage devices involved in our case work frequently arrive at our laboratories in poor condition, normally as a result of environmental or malicious damage. Computer Science Labs Ltd., has developed Novel Data Recovery tools and capabilities designed to restore such devices to a working condition. Such restoration, rebuild and retrieval are of huge benefit to individuals who need access to high worth or extremely sensitive data that was not possible using "consumer" type services. Provided the integrity of the recording media is still intact then in the majority of cases data may be retrieved from such devices. In a number of cases however the recording media may be damaged typically as a result of maltreatment, heat or water damage etc. In these cases research and development is conducted and Novel Data Recovery Procedures are employed in order to may retrieve data from the unaffected areas of the recording media. The methods used, contemporaneous case work notes, videos and various reference material recorded and validated.
CCTV Forensic Case Work.Closed Circuit Television (CCTV) is now a significant factor in the prevention and detection of crime; CCTV facilitates evidence of physical and verbal actions vital in presenting facts as evidence to support a parties assertions of innocence or guilt CCTV analysis includes the extraction, review and presentation of CCTV footage for legal matters. The extraction of the CCTV digital file records to a CD or DVD so that they can be viewed and presented using a normal computer system is a fairly straightforward process. However, in some systems CCTV proprietary file systems means that the extraction and viewing and analysis of files can be time consuming and complex. Additionally, failure of the CCTV hard disk drive can result in the requirement for a forensic data recovery before the CCTV analysis can start.
Computer Science Labs Ltd., - In all such cases, can offer a comprehensive evidence recovery service to any individual, business, police, law enforcement agency or data forensic provider that facilitates access to vital evidence data whilst operating within the full forensic imperative of CPR (Civil Procedure Rules), FSR procedures and ACPO (Association of Chief Police Officers) recommendations.
The FSR has stated that all Digital Forensic Science Laboratories shall be accredited to ISO 17025 and that various methods and procedures will be included within its scope. The FSR also recognizes the financial burden placed on independent laboratories in the application, validation and accreditation of the the methods and procedures involved. In this it has established a Digital Forensics Working Goup to assist in determining clear policy within the CJS for accreditation.