Forensic Analysis Nottingham

Forensic Analysis

Details: Category: Technical Services

There are many ways and places to hide information in today's high-tech world, but recovering that information presents its own unique set of challenges and we're here to meet them with either on-site and/or remote services.

Forensic Data Analysis involves the recovery, decryption and analysis of information stored within computer systems, storage systems, phone systems and hard data. The processes involved are very specific to each case but in general there several categories...

Soft Data Forensic Analysis

Information stored on a computer hard disk for example is soft data.. in that the information can be easily changed and/or deleted. Recovering the information is often the easy job, but deciphering the information is much harder. There are many systems and protocols for the encryption and decryption of data and many of which present a very high degree of resistance to compromise. However, most computer systems during their operation leak large amounts of data to unprotected areas of the storage medium and this information can often be useful. Another recent technique employed, especially by criminals with data encryption knowledge is what we call Hot Data. Hot Data is the storage of confidential information in RAM and NOT on the hard disk. This method of storage provides almost certain protection from discovery as during a raid the Police will probably just pull the plug on everything and take it away, ensuring the data is destroyed. A variation of Hot Data is a system where data is stored on the hard disk, but the key required to decrypt it is stored ONLY in RAM and changes every time the computer is reloaded. Whatever the method of protection, interception at the CORRECT MOMENT is critical.

Hard Data Forensic Analysis

Information that is stored on paper, burnt onto CD or DVD, or spoken in code are all examples of Hard Data. Its "Hard" because it can't be easily changed and as such is likely to be static. Recovery and deciphering of hard data often requires information from two or more sources and this distributed method of protection is what presents the challenge. Correct identification of the cipher used and the method used to protect that cipher are just as, if not more important than the cipher itself.

Digital Surveillance

Whilst digital communications should make it easier to monitor and record activity of known or unknown individuals, it is often not the case as the wide availability of encryption technologies such as S/MIME, PGP, and seemingly impenetrable algorithms such as Blowfish make the job considerably harder. There is however always a point at which the information MUST travel unencrypted and interception at this point is by far the best strategy. For Counter-Surveillance systems and services see Data Security.

Forensic Analysis and Reporting

The process of recovery and analysis is often a complex one, but the process generally follows this procedure.

1. Extract the raw data from the medium upon which it is stored.
2. Extract/Decipher/decrypt information contained in the raw sample.
3. Identify the subject and meaning of the now human readable data.
4. Document the entire process thoroughly such that it may be used in evidence.

Upon completion of any assignment, the information in all its various forms together with our documentation and reports is supplied back to the client in electronic form. We do not keep a record of ANY information relating to any previous cases.

Decryption of Protected Storage

We provide a wide range of security decryption services and are able to currently decrypt and/or remove passwords from the following file types:

APPLICATION / SERVICE	FILETYPES
Adobe Acrobat	PDF
Symantec ACT! 2.0 - 2000	BLB
ACT! by Sage 2005 - 2009	ADF
Android Backup 4.4 or earlier	AB
Android Image 4.4 or earlier	BIN
Apple Disk Image	DMG, DD
Apple iCloud Token
Apple iTunes Backup / iOS 4.x - 9.x	PLIST
BestCrypt 6.0 - 8.0	JBC
FileMaker Pro 3.0 - 14.0	FP3 / FP5 / FP7 / FMP12
Google Chrome Website
ICQ 2000 - 2003, 99a, Lite	DAT / FB
KeePass	KDB, KDBX
Lotus 1-2-3 1.1+	WK!, WK1, WK4, WRC, WR1, WR9, 123
Lotus Notes 4.0 - 8.0	ID
Lotus Organizer 1.0 - 6.0	ORG / OR2 / OR3 / OR4 / OR5 /OR6
Lotus Word Pro 96 - 99	LWP
LUKS Disk Image	DD, IMG, BIN, E01
Mac OS / FileVault2	DMG, DD, IMG, BIN, E01
Mac OS X Keychain
Mac OS X User / Hash	PLIST
Mac OS X 10.8 - 10.10 User / Hash	PLIST
Mozilla Firefox Website
MS Access 2.0 / 95 / 97 / 2000 / 2002 / 2003 / 2007 / 2010 / 2013	MDB / ACCDB / MDA / MDW
MS Backup	QIC
MS Excel 4.0 / 5.0 / 95 / 97 / 2000 / 2002 / 2003 / 2007 / 2010 / 2013	XLS / XLSX / XLSM
MS Pocket Excel	PXL
MS Excel VBA	XLA, XLSM
MS Internet Explorer Website
MS Internet Explorer Webform
MS Internet Explorer Content Advisor
MS Mail	MMF
MS Money 99 or earlier / 2000 / 2001 / 2002 / 2003 / 2004 / 2005 / 2007	MNY
MS OneDrive
MS OneNote 2003 / 2007 / 2010 / 2013	ONE
MS Outlook 2000 / 2003 / 2007 / 2010 / 2013 Email Accounts
MS Outlook 2000 / 2003 / 2007 / 2010 / 2013 Form Template	OFT
MS Outlook 2000 / 2003 / 2007 / 2010 / 2013 Personal Storage	PST
MS Outlook Express Accounts
MS Outlook Express Identities
MS PowerPoint 2002 / 2003 / 2007 / 2010 / 2013	PPT, PPTX, PPTM
MS Project 95 / 98 / 2000 / 2002 / 2003	MPP
MS SQL SERVER 2000 / 2005 / 2008	MDF
MS Windows NT User / Secure Boot Option
MS Windows 2000 User / Secure Boot Option
MS Windows 2000 Server User / Secure Boot Option
MS Windows 2000 Server Active Directory Administrator
MS Windows XP User / Secure Boot Option
MS Windows 2003 Server User / Secure Boot Option
MS Windows 2003 Server Active Directory Administrator
MS Windows 2003 SBS User / Secure Boot Option
MS Windows 2003 SBS Active Directory Administrator
MS Windows Vista User / Secure Boot Option
MS Windows Vista / BitLocker	DD, IMG, BIN, VHD, E01
MS Windows 2008 Server User / Secure Boot Option
MS Windows 2008 Server Active Directory Administrator
MS Windows 2008 Server / BitLocker	DD, IMG, BIN, VHD, E01
MS Windows 7 User / Secure Boot Option
MS Windows 7 / BitLocker	DD, IMG, BIN, VHD, E01
MS Windows 2012 Server User / Secure Boot Option
MS Windows 2012 Server Active Directory Administrator
MS Windows 2012 Server / BitLocker	DD, IMG, BIN, VHD, E01
MS Windows 8 - 8.1 User / Secure Boot Option
MS Windows 8 - 8.1 / BitLocker	DD, IMG, BIN, VHD, E01
MS Windows 10 User / Secure Boot Option
MS Windows 10 / BitLocker	DD, IMG, BIN, VHD, E01
MS Windows Domain Administrator
MS Windows Live ID Account
MS Windows NTLM/LANMAN Hash
MS Windows Phone
MS Windows User / UPEK
MS Word 1.0 / 2.0 / 3.0 / 4.0 / 5.0 / 6.0 / 95 / 97 / 2000 / 2002 / 2003 / 2007 / 2010 / 2013	DOC / DOT / DOCX / DOTX / DOCM
MYOB earlier than 2004 / 2004 / 2005 / 2006 / 2007 / 2008 / 2009 / 2010	PLS / PRM / DAT / MYO
Network Connection
Norton Backup	SET
OpenDocument	ODT, ODS, ODP, ODB
Paradox Database	DB
Peachtree 2002 - 2006 / 2007 / 2008 / 2010 / 2013	DAT
PGP Desktop 9.x - 10.x Zip	PGP
PGP Desktop 9.x - 10.x Private Keyring	SKR
PGP Desktop 9.x - 10.x Virtual Disk	PGD
PGP Desktop 9.x - 10.x Self-Decrypting Archive	EXE
PGP WDE	DD, IMG, BIN, E01
GnuPG Private Keyring	GPG
Quattro Pro 5 - 6 / 7 -8 / 9 - 12 / X3 / X4	QPW, WB1, WB2, WB3
QuickBooks 3.x - 4.x / 5 / 6 - 8 / 99 / 2000 - 2014	QBW, QBA
QuickBooks for Mac 2013 / 2014	QB2013 / QB2014
QuickBooks Backup	QBB
Quicken 95 / 6.0 / 98 / 99 / 2000 - 2014	QDF
RAR 2.0 Archive	RAR
RAR 2.9 - 4.x (AES Encryption) Archive	RAR
RAR 5.x Archive	RAR
Remote Desktop Connection	RDP
Safari 5.0 - 5.1 Website
Schedule+ 1.0 / 7.x	CAL / SCD
TrueCrypt Non-System Partition/Volume 5.0 or later	DD, IMG, BIN, TC, E01
TrueCrypt System Partition/Volume 5.0 or later	DD, IMG, BIN, TC, E01
TrueCrypt Whole Disk 5.0 or later	DD, IMG, BIN, TC, E01
TrueCrypt Hidden Partition 6.0 or later	DD, IMG, BIN, TC, E01
TrueCrypt Hidden OS 6.0 or later	DD, IMG, BIN, TC, E01
Unix OS User Hash
WordPerfect 5.x / 6.0 / 6.1 / 7 - 12 / X3 / X4	WPD
WinZip 8.0 or earlier	ZIP
Yandex Browser Website
Zip Archive	ZIP
7-Zip Archive	7Z

This is by no means an exhaustive list and there are new decryption strategies added regularly as we encounter them. If you have a file, disk, system or device that is protected by password and/or key then we can unlock it. The time and resources required depend largely on the protection mechanism and we can advise of these at point of order.

We provide a full compliment of services, from seizure of equipment and forensic analysis of data to comprehensive digital surveillance of individuals and organisations. Our procedures and processes are geared to provide concrete evidence for criminal or civil proceedings.