Forensic data analysis is a time-consuming process, but can mean an important breakthrough in many cases. We can go very deep, but for some files not all steps need to be completed so that work can be done more efficiently.
Therefore, it is very important that the applicant questions the added value on the depth of analysis and provides as much relevant information about the case as possible. Together we can debate on the right amount of depth needed for this particular project.
1. Active data
Photo/Video
When taking a photo or video, metadata (extra information) is also stored. This metadata contains so called EXIF information. It contains details such as the date and time when a photo was taken, brand and type of the camera, GPS coordinates, name of the owner of the device, etc. This information can be deleted or sometimes get lost when send over the internet. However, it can result in a significant speed gain and, in particular, more qualitative research.
By using forensic software we can filter, among other things, on '% skin tone' (photos showing the shades of skin), a comparison with a hash database to filter out irrelevant photos, etc.
Photos can also be checked for manipulation by imposing certain filters and they can be digitally improved if the basic quality is high enough. This operation must be done manually per photo.
Video images can also be digitally improved or provided with certain filters to clarify certain aspects.
Audio
Audio is copied out integrally from the forensic copy onto an external hard drive. The possible metadata can be retrieved. There is also the possibility to improve the audio quality. This operation must be done manually per audio file.
Documents
A lot of interesting metadata is also hidden in documents. The use of keywords can greatly speed up the analysis, hence the need for a good brief on the case upfront.
The more information we receive about the case or a certain document, the deeper we can go with the key words. These can be typical names of products or partners, a place where an appointment is made, a certain email address, a nickname, etc. These keywords can be placed in a text file. We can add specific regular expressions to the search file, etc.
The depth of search is also important for the speed. You can search in the active files (by name and content), in the deleted space and in the slackspace.
A specific document can also be checked for last modification, author, previous versions, etc.
Email & Internet history
Email traffic between a few people can be filtered very quickly. If a period is also included, the number of emails can be drastically reduced. When some keywords were provided, we can filter out even more. Again, provide as much information as possible on the case.
For the internet history, gathering the search terms typed on google (or other browsers) is the first investigation done, but several other things are possible.
miscellaneous
The above are the most common questions. A lot more analysis can be carried out, such as checking on copyright work (software, documentation), checking whether the software produces the requested results, etc. For more specific questions you can always contact us via info@diforex.be
2. free en slack space
All the above steps can also be repeated for the deleted data. This in both the erased space and in the slackspace *
To retrieve erased data, the analysis software must check the entire hard disk for patterns of types of files. This is a time-consuming process, called carving, that is automated. The actual analysis of the recovered files must be done in the same way as the active data.