Digital Forensics

Digital Forensics is a specialised and rapidly growing field of investigation. Digital investigations can take place both through the remote analysis of data, as well as through on-site forensic imaging. Hawkins uses innovative, industry standard software to collect original evidence, as well as forensically authenticate and preserve it. Through review and determination of events, we discover the source of a digital event or attack, how it occurred, and what information may have been lost or compromised.

ERIN LeMASTER

Hawkins’ Digital Forensics Examiner, Erin LeMaster, has a degree in Digital Forensics from Bloomsburg University of Pennsylvania, and is experienced in best practice procedures for the proper collection and examination of digital evidence, such as computers & laptops, mobile devices, digital video recorders, servers, cloud data, and other unique digital storage media.

Erin, together with other select Hawkins investigators, offers digital forensics services in the fields below.

COMPUTERS & MOBILE DEVICES

Given the prevalence of computers and mobile devices in the world today, the need to investigate the activities conducted using those devices is becoming more and more relevant and useful. Technology is integrated into our daily lives, personally and professionally. As a result, the data on the devices we wear, carry, and interact with can provide useful information.

Hawkins can forensically collect and analyse computers and mobile devices of all makes and models.

Devices:

• Desktops
• Laptops
• Smart phones
• Tablets
• Virtual machines
• Servers

Operating systems:

• Windows
• Macintosh
• Linux
• Android
• Other proprietary operating systems
• External storage media

Reasons to Instruct a Digital Examiner:

Theft of Intellectual Property - Examination of an employee’s corporate issued devices to identify, access and transfer proprietary information. A proactive measure may also be taken by an organisation when hiring an employee from a competitor to ensure that no proprietary data is inadvertently transferred.

Misappropriation of Company Resources - Internal investigations into the unauthorised use of funds, property or information, examining company devices such as laptops and cell phones.

Spear Phishing and Email Compromise - Phishing can often result in the compromise of employee credentials providing unauthorised access to email communication containing valuable information. Business email compromise matters often result in the misdirection of financial transactions into a fraudulent bank account. Hawkins can analyse email header information to determine how unauthorized access was obtained and what information was intercepted.

Communication Data - Examination of communication data such as SMS (short message service), MMS (multimedia message service), iMessages, email, call logs, instant messaging, and more.

Cryptocurrency - investigating online trading incidents with up-and-coming cryptocurrency, such as Bitcoin.

Internet Usage Investigations - Investigating inappropriate Internet usage by either staff members or students at various types of organisations: data collection, preservation, and review for legal matters.

Internet Data Investigations - Collection and analysis of social media and cloud data.

Document Authentication - Examining file metadata to determine authenticity and provenance of a file.

Location Data - Examining location data from mobile devices, GPS systems, SatNavs, and cell towers to determine a device’s location.

Our analysis can provide answers to questions like:

• Was any data deleted?
• What events occurred during a specific timeframe?
• Was data transferred to a USB device?
• What websites were visited?
• What search terms have been searched?
• Who authored a document?
• Who sent an email?

In many ways, smartphones and tablets have become as powerful as computers, and are much more portable. However, the way mobile devices operate is fundamentally different to a traditional computer, and therefore they must be handled differently. Hawkins has the expertise necessary to examine all kinds of portable, mobile devices as well as computers.

Hawkins is equipped to handle a wide range of clients’ needs, whether the investigation is large or small, for legal or corporate reasons, via a computer or mobile device, or on Mac, Windows or Android operating systems.

Cyber security

Incident Response - rapid response to suspected security breaches and assessment to determine point of entry, data loss or compromise, and lockout means of access including backdoors

Network Security Survey - proactive approach to assessing security measures and providing recommendations for additional security to help prevent or provide early detection for a security incident

Ransomware - educating businesses on how to prevent losses

eDisclosure

eDisclosure is the forensic collection of data, which is then sorted, filtered and organised for easy review by legal practitioners. The Electronic Discovery Reference Model (EDRM) outlines the standards for the handling of Electronically Stored Information (ESI) throughout the eDisclosure process. At the outset of an eDisclosurematter, the scope of relevant data is identified and preserved, collected, processed, reviewed, analysed, and produced, and finally presented.

Due to the volume of data generated by multiple sources, an eDisclosure matter can be overwhelming at the outset. Hawkins implements EDRM to efficiently convert your eDisclosure matter into a production of only the relevant documents. Hawkins has the expertise to collect data of all types and sources. We manage the collection of data, process and analyse the data, and finally produce the relevant information. 

RECOVERY OF DATA

It is often possible to retrieve intentionally or accidentally deleted data. Hawkins can recover this data by the process of carving for deleted files within a device’s unallocated space, even in situations when metadata may have already been lost. If data is deleted intentionally, anti-forensic measures may have been taken which is also often possible to identify.

Data on hard drives, memory chips, or other damaged media, that becomes damaged by fire, flood or other accidents can often be recovered. Hawkins operates a lab in which this work is undertaken. Investigator Paul Gee analyses damaged hardware to see if any recovery of data can be made, by locating unencrypted files and extracting them from mechanically damaged hard drives, SD cards and memory devices

ANALYSIS OF CCTV

Hawkins has extensive experience in the analysis and enhancement of CCTV evidence, which has been used to assist in the interpretation of incidents of all types. Investigators analyse timestamps on footage in its proprietary form, or on DVDs received from local authorities. Hawkins is able to produce a comprehensive frame by frame analysis, to both provide the best view of the incident, as well as deliver an efficient and readable final report.

Together with 3D laser scanning data, and/or data from the Police, road traffic collision investigators can determine the speed and position of a vehicle, as well as other necessary factors for completing a collision reconstruction. Telematics transmitted from a vehicle’s connected devices at the time of an incident, such as data from a navigation system, or a smart phone’s SMS/call logs, can also be used in an incident’s reconstruction. A recorded device event may provide more insight into the circumstances surrounding the vehicle both pre and post incident. Road traffic collision investigator James Wade is especially experienced in the use of 3D laser scanners during collision reconstructions and investigations.

CCTV footage can be integral in corroborating a series of events or witness testimony. This footage is obtained from Digital Video Recording devices (DVR) which are often proprietary devices. Hawkins can forensically collect, examine, and produce the CCTV footage while maintaining the forensic integrity of the data. Investigators Richard Baker and James Wade have undertaken specialist CCTV analysis training, and can produce extremely detailed reports based on individual frame extraction and enhancement.