PHILADELPHIA SURVEILLANCE COMPANY CONDUCTS MOSTLY SURVEILLANCE, we do not conduct computer forensics, however we have sought out to find the best of the best in the area for your computer forensic needs and we highly reccomend the following firm:

The Computer Data Forensics Unit conducts forensic examinations of computers to extract electronic data evidence for civil and/or criminal proceedings. An in-house laboratory services clients who have a need to preserve data or reconstruct deleted, erased or corrupted data.

What is Computer Data Forensics?

It is simply the acquisition or recovery of electronically stored data that may be of evidentiary value using specialized techniques to ensure that all of the data is acquired and unmodified. Specialized techniques are also used to examine and analyze the electronically stored data in order to present findings and conclusions. The specialized techniques used may be repeated jointly and separately to achieve identical results.

Electronically stored data exists everywhere today. Examples include computers, personal digital assistants (PDA), cellular telephones, digital cameras and video systems, "flash" or "thumb" drives, and digital music players like the Apple iPod™ products.

How is it used?

Attorneys and investigators use it as an evidence discovery tool. Some estimates claim that as much as 90% of information is never printed to paper. Deleted, hidden, or encrypted electronically stored data evidence may be recovered for examination as well.

What kinds of data can you recover?

A typical computer user interacts with electronically stored data much differently than a forensic examiner. A typical user views data in a limited manner as permitted by the operating system (e.g. Windows XP™ ). The operating system generally restricts access to data so that only "normal" or "native" files can be observed and accessed. Some examples of "normal" or "native" files include a Microsoft Word document, a Microsoft Excel spreadsheet, database files, and digital photographs.

In contrast, the forensic examiner can bypass restrictions by the operating system in order to view the data as it physically resides on the storage device (e.g. a computer hard drive). Therefore, the computer examiner has access to deleted files, file fragments, temporary files, system protected or encrypted files, unallocated space, and unpartitioned space.

How do you preserve the integrity of computer evidence?

A forensically sound process called imaging is used to create an exact duplicate of the original dataset without modifying any of its original contents. The duplicate dataset is called an image. A mathematical computation is applied to the original dataset to generate a "hash" or digital fingerprint. The same mathematical computation is applied to the image. If the digital fingerprints match, the datasets are authoritatively identical. All examinations and analysis are conducted on the image and not the original dataset. The authenticity of the image may be verified at any time by re-applying the mathematical computation to achieve the same digital fingerprint.

How do you recover this data?

Once the clone of the original has been recreated on a laboratory computer, a standard procedure is followed. In the case of visible files, in their native format, we simply find the relevant files using a key word search program and print to paper or archive them to an evidence CD or DVD. In the case of deleted files that are still retrievable, an “undelete” utility is used to make them visible again. We then print/save the relevant files as above. For files that are no longer retrievable with an undelete utility or were never cataloged, a special key word search tool or carve utility is used to look at unassigned areas of the drive. These utilities find words or word strings that are relevant to the case we are working. The list of words is developed with the assistance of the client. We then print/save the retrieved files as previously noted.