Our work in digital forensic evidence examination is supported by our software and systems. This includes a wide range of internally developed and industry standard mechanisms that we combine into operating environments that provide repeatable scientific platforms that are tested, calibrated, and supported by documented methodologies, histories, reliability information, functionality, and limitations. The use of these platforms provides us with a baseline of examination mechanisms that support courtroom testimony and that have been used in previous legal matters. These generally cover:
Analysis: Methodological and technical mechanisms that support moving from a bag-of-bits to meaningful context, feature and characteristic detection and analysis, trace typing, searching and complex syntactic analysis, sieves and counting mechanisms, hidden content identification, time sequencing, location mapping, visualization, and consistency analysis methods.
Interpretation: Methodological and technical mechanisms that support interpretation of structured and unstructured traces and analysis results, alternative explanations, missing traces, redundancy analysis to mitigate interpretation errors, information physics evaluation processes, similarity quantification methods, visualization in interpretation, and methodological support.
Attribution: Methodological and technical mechanisms for attributing actions to human actors, automated mechanisms, devices, operating environments, and programs, assessment of damages, and attack attribution.
Reconstruction: Methodological and technical mechanisms for physical and virtualized reconstruction environments, pseudo-operating environment for closed environment simulation of external interactions, and replay mechanisms for recorded event sequences, network traffic, system operation, and similar reconstruction and experimentally repeatable replays.
We also lease configured systems complete with operating environments and tools for annual fees starting at $6,000, plus customization and support services. Examples:
| Fees | System |
|---|---|
| $6,000/y | Forensics workstation with 1 Tbyte of storage running a customized Linux configuration with essentially all publicly available non-fee tools installed and tested, configured and secured for use as a forensic analysis workstation, with internal integrity checking and select custom and semi-custom tools. |
| $9,000/y | Forensics workstation with 2 Tbytes of storage running a customized Linux configuration with essentially all publicly available non-fee tools installed and tested, configured and secured for use as a forensic analysis workstation, with internal integrity checking and select custom and semi-custom tools. Also includes methodology tools and supporting data sets. |
| $12,000/y | Forensics network support system with 4 Tbyte of storage running a customized Linux configuration with essentially all publicly available non-fee tools installed and tested, configured and secured for use as a forensic analysis workstation, with internal integrity checking and select custom and semi-custom tools. Includes case management configuration and local-area-network support for forensic workstations, including backup and recovery solutions for workstations, network imaging server, and distributed computing mechanisms to support large-scale multiprocessor forensics examinations as well as shared file systems for multi-workstation forensic examinations from common storage areas. |
| $18,000/y | Parallel processing (private cloud) system (32 processor array) configured for parallel forensic examination processes and integrated with the forensics network support system. |