Orlando Computer and Digital Forensics Services
ITAcceleration: Orlando Based Technology Experts Specializing in Digital and Computer Forensics
Established in 2002 with locations in Philadelphia and Orlando, ITAcceleration is a premier technology management company specializing in Managed IT Services, Digital Forensics, and Regulatory Compliance.
Technical Expertise for your Business and Litigation
Our technical teams excel in Managed IT Services, Compliance, and Digital Forensics. The company is directed by a managing partnership, each with over 30 years of technology expertise.
The technology we support for our IT clients is the same technology that we preserve and investigate during forensic investigations for litigation. This technical expertise is THE decisive differentiator for our forensic services.
Our Digital Forensics Lab is equipped with state-of-the-art forensic tools to quickly and thoroughly perform analysis on devices and services holding relevant data. This need may include computers, smartphones, social media, email, etc.
Our Managed IT Services, both as a virtual IT department and cloud management, provides our clients with seamless support and reliable systems, with a focus on mitigating data risk.
Our extensive knowledge in Regulatory Compliance for HIPAA, FDA, PCI, and GDPR rounds out our complement of services for your business and clients to successfully compete in today’s environment of complicated industry compliance and litigation.
Digital Forensic Investigations
At ITAcceleration, we require all forensic analysts to have a background in IT. It just makes sense since this is the expertise needed to investigate data systems properly. Many of our forensic projects entail the investigation and data recovery of complex systems such as databases, servers, proprietary applications, crashed hardware, and unique electronic devices that hold data. Having an IT background in Windows, Linux, and Macintosh computing environments is an enormous advantage when investigating such technologies.
Our team regularly trains to stay current on new and existing forensic tools and methodologies. Just as technology evolves, so do the tools and techniques for our forensics business.
But you cannot testify on what the forensic tool reported. Forensic investigations must review the point of origin that may include the operating system, application software, or custodian behavior.
In the Casey Anthony case, which every Floridian is keenly aware of, the government testified that the word “chloroform” was search 84 times. Later the forensic software vendor reported that their algorithm was incorrect, and the government’s testimony was inaccurate. The Orange County forensic expert even testified that “several forensic tools were used to examine web content” with varied results.” Can you imagine a decision marred by such egregious testimony? Yet it happens all the time.
Interesting review of Sgt. Stenger Testimony
The Daubert Standard implies that evidentiary findings must be repeatable. ITAcceleration takes this a step further by validating the findings using various methods and not relying on one tool. Tools can streamline findings, but these findings should be validated back to the point of origin. The ultimate point of origin is the operating system or application. The government neglected this requirement, yet no one challenged their reporting or testimony. We would, and we do.
Expert Services and Court Testimony
Our ability to communicate and explain complex technical concepts to the judge and jury is unmatched in the industry. Techno-babble is a real problem with these types of cases. All testimony requires a clear understanding of its importance to the case.
Not challenging your adversary’s allegations and evidence-based electronic findings can lead to misleading and incorrect evidence, favoring your adversary, entered into court as fact. We review the other side’s reports, processes, and procedures they performed to acquire electronic evidence and refute their allegations with our undisputed evidence reporting and findings when warranted.
Improper preservation and chain-of-custody can lead to spoliation. Knowing that these steps establish the foundation of every investigation, these steps must be followed correctly and result in legally defensible processes. Fortunately for us, these steps are not always followed by opposing experts as they should be and result in a host of problems for the other side’s expert to explain.
Additionally, exculpatory evidence is not investigated or reported by the government or your adversary. Government cases are notorious for missteps due to their belief that defense counsel will not hire an expert to review and refute their reports. Our involvement is a game-changer in these cases.
Led by David Yarnall, our team has successfully testified in various federal courts as well as local county and municipal courts. Our reporting and testimony alone has won cases and substantially reduced the government’s plea agreement offer.
In a current criminal matter, the defendant was looking at 30 years for the “attempt to create” illicit content. In the FBI’s report, the government failed to connect the dots to show that the defendant was not involved in the allegation. By merely requesting the government investigator reports, the Federal Prosecutor, within days, offered a plea deal of a 2nd-degree misdemeanor and 18 months time-served.
In 2003, we developed our forensic methodology, called ForenSYS, to ensure all processes are thoroughly completed and legally defensible. This process has become an industry standard. We then expanded ForenSYS to provide for a Life-cycle for Electronic Discovery, to include the entire litigation workflow. This model is still valid today.
Why is technical planning important?
Evidence acquisition can be a complex requirement. Determining the relevant data types is critical for us to determine the approach to preserve correctly. Many technologies, mainly smart apps and cloud services change quickly and without notice. For example, the versions of Whatsapp running on an Android smartphone evolved several times in a short period, while Whatsapp enhanced their security and encryption. The approach to preserver and recover content needed research.
Secondly, planning eliminates wasted effort and ultimately costs to the client.
Lastly, we review with counsel the potential areas where data may reside and worth preserving that may not have considered. Offline and archived data can be a crucial source for evidence.
How has forensics changed over time?
Before the 2006 adoption of the ‘Federal Rules of Civil Procedure Pertaining to Electronic Evidence’, attorneys would typically rely on depositions and hardcopy discovery. Electronic evidence was a new and intimidating issue for lawsuits.
When we started providing forensic services in 2003, it was called Computer Forensics. At that time, much of the data sought was email communications. During our planning session, we provided insight to alert counsel that there is much more data available but hidden.
In one case in 2006, we forensically analyzed a computer and found email imprints that sealed the case for our client. These emails found in web cache provided email communications over a critical two-week period where the defendant documented their wrong-doing. This data was not readily available without forensic recovery. Gaining access to the defendant’s email account would be a fight without credible evidence. This evidence was credible and forensically defensible.
Today, Computer Forensics has evolved into Digital Forensics. Inclusive to every investigation are all devices that we have come accustomed to using. Digital Forensics includes computers, smartphones (which have increased to match or exceed computer investigations in cases), email, social networking, blogs and websites, databases, USB devices, cameras, surveillance… This list is continually evolving.
What technical background or expertise should a forensic analyst process?
Forensic investigations have become complex in a short time. When known as computer forensics, the web, as we know now it did not exist, nor did smartphones. Also, litigating attorneys have become much savvier regarding what evidence forensics can provide.
Several schools and colleges provide digital forensic curriculums, but being a qualified analyst requires a broader range of skills, practical knowledge, and expertise in information technology.
In one case, counsel provided us with decommissioned Linux servers that were used by fraudulent telemarketers recording the transactions they completed. These servers were password-protected, and we had no assistance to gain access. We were able to gain access to the data forensically but unable to run the application from the servers that consisted of the victims’ names and associated amounts bilked from them. We were, however, able to see the database tables and database files. This data provided us a roadmap to re-engineer the application quickly and allow us to see formatted data required by counsel. Although this project took a few months, it saved a significant amount of money (in millions) by providing counsel a search method to review data on their own.
Today, with cloud technologies, the need to understand how these online applications function is imperative. Many of the apps we use on smartphones may store data in the cloud. Well-rounded technical expertise is a requirement for a forensic analyst.
How do you go about analyzing a computer hard drive?
Hard drive preservation is relatively straight forward. Hard drives are physically removed from the computer and connected to the imaging appliance. We use VOOM Hard Copy and Logicube Falcon-NEO appliances. These create a legally defensible exact bit-for-bit copy of the original hard drive. If the hard drive is 500Gb with 30Gb used, the forensic image is 500Gb. Once completed, a calculated hash verification providing a fingerprint of the data imaged verified to ensure the authenticity of the data.
The challenges include increased hard drive sizes and encryption. A 1Tb drive may take 10 hours to complete a physical forensic image. 4Tb drives will take 4x as long. This is a limitation of interface speeds.
Can you recover deleted data from a hard drive?
The short answer is yes, but like anything related to technology, there are caveats. On a Windows computer, when you delete a file, it typically goes to the Recycle Bin where you can recover it. When emptying the Recycle Bin, the space where the data resided is no longer tracked by the Windows operating system and is available for new data to be written to it. This space is now referred to as Unallocated Space. As long as new data does not overwrite this space, the data there can be forensically recovered.
The initial requirement to complete this recovery is to perform a physical forensic image of the hard drive. This process will capture Unallocated Space.
What is the Difference Between a Physical Image vs Logical Image?
Logical images include data readily available. Folders preserved would consist of the likes of \Documents and the Recycle Bin. It does not include Unallocated Space where deleted data may exist.
If we logically image a 500Gb hard drive that contains 30Gb of data, then the forensic image is 30Gb.
Physical images include Unallocated Space by imaging the entire hard drive. Unallocated space is hard drive space that is not used by data tracked by the operating system. This space can be a treasure trove for electronic evidence. We always suggest physical imaging to ensure we preserved everything, whether it’s initially needed or not.
If we physically image a 500Gb hard drive that contains 30Gb of data, then the forensic image is $500Gb.
How does encryption effect imaging?
Windows Bitlocker Encryption is an example of hard drive encryption. In short, we need the decryption or recovery key to access the data. Short of that, we could log in to the computer with administrator permission and logically image or remove encryption.
How are Smartphones preserved and analyzed?
Smartphones, or smart devices in general such as tablets, have begun to take over the investigative needs for litigation. With the use of apps that are unique and separate from the computer, these devices have different forensic requirements, challenges, and potentially relevant data for litigation.
There are several forensic smartphone tools on the market. Some work better than others for specific tasks, so a toolbag is the best approach utilizing several tools and techniques. The smartphone tools have matured over recent years and have become more reliable. What remains is the combination of app versions and smartphone versions that create dynamic challenges.
To preserve a phone, we first research the phone make, model and carrier and then review the scope of work to determine the app that may hold relevant data. Phones are connected to a computer in airplane mode to eliminate a potential remote wiping of the phone and block any calls or messages that could disrupt the preservation process. The smartphone forensic tool is loaded, and a small piece of code is installed on the phone with overwriting existing data. The application identifies the phone or its specifications manually entered into the application. The type of image is selected and started. Phones vary as to whether they can be physically, logically imaged or file system dump. We typically create multiple types of images, including a native copy, such as an iTunes backup for Apple phones.
The tools then process and extract data into categories. This technique is useful when you are only interested in or restricted to one type of data, such as text messages. Oxygen Forensics is our primary tool that also preserves online web and social media content. But we also refer to Cellebrite for comparison.
What types of cases can include electronic evidence?
Attorney’s need to think about electronic evidence When you think about how technology has impacted our day-to-day lives.
If you require a digital forensics expert in Orlando, Florida, ITAcceleration may be able to help you. Click here to reach out to our team to learn more about what we can do for you.