Frequently Asked
Questions

A forensic examination can indicate which external devices have been connected to a specific device and at what time. Most devices provide make, model, and in some cases, serial number of the external device. This information can serve as a guide for examining other possible devices used during the investigation.

A forensic examination can produce a list of files deleted from the digital device and recover some or all of these files. However, in some cases, deleted files that are overwritten by new data cannot be fully recovered.

When a file is deleted, the section of the hard drive that file was located at is labeled as deleted, and the system considers it “unallocated space.” Still, the data remains on the drive and is not “visible” on the computer. If the scanned device or hard drive does not contain any deleted items, it may indicate some intentional data deletion or operating system reinstallation.

Forensic copying is making an accurate and unaltered copy of data, including metadata of original files, but it is not a complete image of the original drive. Its function is to collect and preserve assets of interest to your case.

A forensic copy may be necessary to preserve data from a shared server or cloud storage in cases where the drive has multiple users or where the drive must remain in use. However, the disadvantage of a forensic copy is that it does not include unallocated or unused space, so it does not allow files or deleted information to be recovered.

Metadata is the storage of data about data, which contains a record of information such as the date the file was created, the dates it was accessed or modified, and the times. Using specialized forensic software, it is possible to identify the data’s author, the file’s number of revisions, and the last time it was printed. In addition, metadata can reveal where and when the photos or videos were taken and the type of camera or device.

Digital forensics is a science that involves recovering and investigating items found on electronic devices, usually done as part of a legal dispute. Forensic examinations can be performed on virtually any device with digitally stored data, such as cell phones, laptops, hard drives, servers, thumb drives, SD cards, and even cloud storage.

Encryption is a digital process in which data is converted into another format that cannot be read without the placement of a password or key. Therefore, without introducing the key, users’ information remains encoded and incomprehensive.

If a file is encrypted, a forensic examiner requires the key to decrypt the data. If the key is not supplied or available, the live forensic image may be the only option to access the data since only the active processor can decrypt it.

Companies increasingly use encryption to protect their data. Among the most popular encryption programs are McAfee’s SafeBoot Encryption, Symantec’s Endpoint Encryption, and PGP Whole Disk Encryptions. Bit-locker, a Windows built-in encryption program, and File Vault, Apple’s encryption program.

A forensic or clone image is a read-only image of an entire storage drive containing all files and unallocated or unused space on the hard drive. Creating a forensic image or drive copy is useful to access evidence of the original device without making any alterations. The examinations are performed only on the copy, and it is indispensable to obtaining legally admissible evidence.

Hardware or software duplicators are used to make a forensic image. In the case of encryption, a live forensic image is needed to make a clone, obtained by making a forensic image of the computer while it is switched on or connected to a network or when it is in use.

Link files, or Microsoft files with the Ink extension, can reveal that a file existed or was accessed at some point on a specific system, even if that file has been deleted. A link file is a shortcut file that redirects to a particular application or file. The operating system usually creates the link and contains essential information such as the file’s original location, metadata, modification dates, and size.

The price of a forensic evaluation varies depending on different factors, such as lab time, hardware and software requirements, and the scope of data and files being searched. With digital forensics being a science, investigators and engineers who are extensively trained must follow a series of steps to produce a solid report from a forensic perspective. These processes require significant time and work to get expert analysis.

QUANTUM INTRINSIX provides clients with case-specific pricing. Therefore, once the client makes known the required parameters and scope of the investigation, we calculate a fixed fee that will be respected unless the client requests additional work due to the emergence of new needs.

When a forensic image of a drive is made, a copy of the unused part of the drive is captured as well. This “unallocated space” is parts of data or files that have been deleted. When an operating system overwrites the unallocated space with new data, the original deleted files cannot be recoverable. However, in some cases where computers peculiarly store data, it is possible to recover parts of these files that have been overwritten.

Because data storage is divided into tiny sectors, when the smaller file overwrites a larger file, there may be “free space” or unused space from which it is possible to extract fragments of overwritten files. Such a technique is generally referred to as “unallocated space carving.”