In the rapid growth of the Data Forensics field we see a number of “want to-be’s” entering the arena daily. Private investigation firms claim they have sufficient computer knowledge to conduct computer investigations. Data recovery companies claim they can investigate unlicensed and present eDiscovery documents in court. Be careful here… not every geek in town who has data recovery experience, is an experienced investigator and not every Private Investigator knows how to search all the different allocations of the hard drive or read a report from the router.
In order to be a good Data Forensic Investigator a person should be well versed in both arenas and have the following three main requirements:
The First Requirement is a private investigator license, both Nevada and California require this, practicing without a license can have serious consequences.
The second requirement is to have computer training certifications and field experience in computer forensics. It is not enough to be licensed as a private investigator without extensive computer knowledge because as a computer forensic expert you are expected to be able to offer expert computer advice and have the understanding of how data is stored, collected, sent and copied.
Finally, the third requirement is to have investigative knowledge, background and experience. Most private investigators need to have at least 10,500 hours of investigation experience. If you don’t know how to think like an investigator, then how can you be one? A private investigator or a person with 10,500 hours of investigation experience will know how to follow the chain of custody protocols and will also know how to accurately document and correlate incidents to evidence.
In conclusion, before you hire an expert in data forensics and recovery make sure you check that they are compliant with the state licensing regulations, as well as have the experience in both the fields of computer sciences and investigations.
Expert Data Forensics: http://www.ExpertDataForensics.com Tel: 702-435-8885 Toll Free: 888-355-3888 Follow me on Twitter: Data Forensics
Speaker: Scott Moulton, President of Forensic Strategy Services, LLC
This speech is all ANIMATION in 3D! Data on a Solid State Device is virtualized and the Physical Sector that you are asking for is not actually the sector it was 5 minutes ago. The data moves around using wear leveling schemes controlled by the drive using propriety methods. When you ask for Sector 125, its physical address block is converted to an LBA block and every 5 write cycles the data is moved to a new and empty previously erased block. This destroys metadata used in forensics & data recovery. File Slack Space disappears, you can no longer be sure that the exact physical sector you are recovering was in the same location or has not been moved or find out what it used to be!
I will explain how Flash and Solid State Drives are different and compare them to hard drives in their ability to read and write data. What happens when they are damaged and a recovery needs to be done? In this process you will see how the data gets shuffled around and how some of the data is destroyed in the process making it impossible in many cases to recover some files and metadata that on a hard drive has been a simple task by comparison. You will also get an idea about how propriety methods that each vendor is using will isolate you from knowing what is happening to your data or even where it is on the drive. And at the very least the animation is the quality of the History Channel and you will enjoy what you are learning!