A defensible case starts with reliable evidence. This is why preservation is one of the most important aspects of digital forensics. If a device is tampered with after a significant event, it is just like walking through a crime scene and leaving your fingerprints everywhere. Our preservation and collection techniques are completely write-protected and verifiable with complex hash algorithms. Each collection is also tracked with strict chain-of-custody protocols to ensure all evidence accountability. This allows for the level of safety while we work to retrieve data from your mobile device.
A forensically sound collection is important whether you have a single mobile device or hundreds of computers in an organization. We have the ability to quickly capture data from:
- Email Servers
- Desktop or Laptop Computers
- Network Shares
- Mobile devices
- Backup devices
Reliable evidence is necessary to defend a case. To be able to have reliable evidence, data needs to be preserved well. This is one of the most important factors of digital forensics because if a device isn’t clean or if it has been tampered with, then it may destroy some of the data and make it difficult to analyze.
This digital data is retrieved with our mobile device data recovery processes. When our standard forensic tools fail to recover data, we use JTAG and chip-off level forensics.
What Data Can be Retrieved from These Devices?
Desktop and laptop computers hold a large amount of information. Our data recovery services can retrieve data such as emails, search histories, and online documents. It is possible to retrieve deleted data as well. When data is found to support a legal case, it is used as potential evidence to work against an offender.
We can retrieve files from network shares. This can also apply to deleted files. On mobile devices, data recovery may result in retrieving text messages, phone logs, photos, GPS location and search histories from mobile search engines. This data can also be used as evidence in a court case. However, when these methods don’t work, it’s time to turn to JTAG and chip-off level forensics.
What is JTAG?
JTAG (Joint Test Action Group) is a data extraction process where wires are connected to Test Access Ports (TAPs) on a mobile device and raw data is transferred to connected memory chips. When the device is supported, this is an excellent technique to retrieve data.
What is Chip-Off Forensics?
When JTAG doesn’t work, data recovery can be achieved through chip-off forensics. This is a more advanced technique that requires physically removing the memory chip from the device. This is a method with a high success rate, but it is usually a last resort because it is more invasive. However, it works on almost every device, no matter how advanced the damage.
By collecting evidence and preserving it well, we can safely retrieve data from your mobile device.
Our Forensic Process
We have streamlined our forensics process to make it similar to how an investigation works. Not every investigation is the same, but there are similarities in the process.
Step 1: Engagement
Before beginning an investigation, we will have a meeting to discuss case objectives and create a detailed work statement.
Step 2: Preservation
No matter how many devices are involved in the case, the next step will be to preserve the evidence and begin a chain of custody through verified copies of evidence. This will help track the movements to and into our lab and save the original data.
Step 3: Investigation
The investigation phase is where the main work happens. Our experts will retrieve data, analyze it, take notes, and build a credible story with the data.
Step 4: Reporting
When the investigation is complete, we compile everything into a report explaining our findings, which will be clear and easy to understand for people with different levels of technology knowledge.
Step 5: Testimony
Our experts can testify as witnesses in court on the case findings and observations if necessary.
Data Recovery Process
A customer service representative will give you a scenario-based quote and explain how the process works. We also provide a time estimate depending on your chosen service level. We offer many options from low-cost and low-priority to emergency and same-day service.
The first step to data recovery is filling out paperwork electronically or manually. After the job is checked into the system, we send you an email and call you when your media has arrived. The email will contain a username and password so you can check your recovery job’s status throughout the process.
Next, our technicians will diagnose your device. After they have discovered how to recover data from your device, you will receive a quote of the costs and you can either deny or accept the quote.
When you accept the recovery quote, we start the recovery process. After it is completed, we will send you a file listing to verify the recovery. We will review and approve the file listing and place the recovered data on another form of media. We will then ship the data back to you or you can choose to pick it up.
Flashback Data has worked for clients around the world since 2004 on sensitive incident investigations and forensic data recovery services. We have worked for corporations, law firms, and foreign governments.
We have a ISO/IEC 17025:2005 laboratory that is accredited by the American Society of Crime Laboratory Directors. We also have several certifications:
- Certificate | ALI-113-T
- Field of Accreditation | Forensic Science Testing
- Discipline | 9.0 Digital and Multimedia Evidence
Our personnel are experts in law, criminal investigation, intelligence, fraud examination, and information systems and security, and our forensic examiners are highly credentialed in many fields.
Flashback Data has a secure facility that will protect your media at all times. The lab features four zones that equipped with 24/7 monitoring, anti-static flooring, class 100 clean room workstations, flash memory and mobile phone repairs stations, thousands of hard drive replacement parts, and more.
The forensic lab has powerful workstations and fast hardware imaging stations, as well as dozens of terabytes of storage.
To recover data from a device, the environment must be clean since any dust, fingerprints, and dirt can harm the recovery process. Flashback Data performs all recoveries in a safe and clean environment for the best results possible.
Flashback Data also has a secure facility to accommodate any size evidence preservation request.
If you have devices you need collected please contact us at 866.786.5700 today to speak with someone about your project.