In terms of digital forensics, the following can be offered as an inherent part of any given investigation and/or stand-alone service:
CHAIN OF CUSTODY
We offer a full chain of custody from seizure to disposal of exhibits. We operate within industry standards and norms including the use of Faraday bags, Tamper Proof bags and secure transport, where required. All exhibits are catalogued, signed for in duplicate and entered into the company’s Safe Register on arrival. Standard key-holder security levels apply and all exhibits are stored within a fireproof safe. Our offices have the required security and laboratory access control levels to meet chain of custody requirements.
We have our own bespoke lab facility in Cape Town which features an insular network, signal blocked working environment, server infrastructure as well as the required tools and equipment for forensic tasks. Our lab facility is CCTV monitored with biometric access control and 24/7 security.
Onsite triage is an important aspect of forensic analysis, as it affords us the opportunity to isolate and prioritise exhibits according to the client brief. We use various tools during the triage process, the first being Magnet Axiom Triage, Paraben, C.A.I.N.E or FTK. These are well respected tools within the industry and assist with the identification of potential exhibits. Onsite time is dramatically reduced by having the proper equipment and software.
SEIZURE OF EXHIBITS
Seizure of exhibits can make or break a case, as far as presenting resultant evidence to a court is concerned. The exhibits need to be properly identified, handled and catalogued. Marking of exhibits to enter the chain of custody is key - this includes the capturing of live RAM if this is appropriate to the investigative need.
FORENSIC CLONING & IMAGING
Forensic clones and imaging require precision and the best available equipment for this task to ensure consistent and court-approved results. We recommend the creation of both a clone and a forensic image, one for evidentiary purposes and one for analysis. Forensic clones and images include the generation of a MD5 Hash for verification purposes.
Once a forensic image is generated, it still needs to be interrogated, deleted data recovered and made accessible. This needs to be done in a sound manner in order to preserve the evidence. For this task we use a variety of toolsets, however, our preference is for Magnet Axiom as an industry leader. Magnet Axiom provides two core options for analysis. The first is to provide output reports of flagged evidence and items of interest in pdf or html format. The second is to provide a Portable Case File which can be searched and indexed by a competent Investigator or Digital Forensics Expert.
Mobile device acquisition, including creating a dump file as a portable case file, is a high demand service and depends on a variety of factors which influence complexity. Our services are divided as follows:
- Acquisition of a mobile handset including creating a portable case file.
- Bypassing of screen locks/key locks on most varieties of handsets.
- Analysis of the results.
For mobile handsets we prefer Magnet Examine/Paraben/Cellebrite.
Contact True Lies directly to discuss your specific requirement.