Data Forensics refers to any process in which electronic data is sought, located, secured and searched with the intent of using it as evidence in a civil or criminal legal case. The Rosewood Group offers electronic discovery consulting and forensic examinations of digital and computer media to attorneys, private investigators, private business, government agencies, law enforcement, and individuals in need of technical and forensic expertise. By adhering to strict forensic procedures, the firm’s examinations are “by the book” and withstand the challenges presented for admissibility in court.

Data Acquisition

 Unless specialized software is used, the simple act of booting a computer system is almost certain to change data on disk drives connected to the computer. This results in the contamination of digital evidence and often causes vast amounts of data to be destroyed or altered before it can be copied. Copying files or backing up a disk drive are ineffectual forensic methods for a variety of reasons. Deleted files are not copied, nor are files or partitions that are hidden. Often times, backup programs modify the attributes of files and folders by flagging them as having been backed up. The forensic methodology employed by The Rosewood Group is completely non-invasive to the original evidence and does not change any data on disk sub-systems before, during or after the data acquisition process. All information is copied, including deleted files, unallocated disk space, slack space and partition waste space. Gaining access to a disk drive non-invasively may be accomplished in several ways, depending on various technical configurations. Often times, the fastest and easiest way to image an internal disk drive is to remove it from it’s native environment and connect it to a computer which has had it’s hardware and  oftware optimized to support the forensic process. Alternatively, the drive may be left in the computer and the computer booted using a modified version of an operating system which has been “neutered” to prevent it from changing any data on disk drives connected to the computer.

Data Authentication

 Providing a quantifiable measurement of authenticity and integrity of data is essential for satisfying admissibility standards such as Federal Rules of Evidence - Article X - Rule 1003 and Federal Rules of Evidence - Article IX - Rule 901. The data acquisition and authentication protocol  mployed by The Rosewood Group has been developed to facilitate the discovery process and addresses issues raised in Federal Rules of Civil Procedure, Rules 26 and 34. The Rosewood Group integrates digital evidence and chain of custody information and extends the authentication paradigm to include the embedded chain of custody information. The Rosewood Group’s methodology is fault tolerant and can authenticate data on damaged media. The protocol also supports the exclusion of privileged information while retaining the ability to acquire,authenticate and analyze hard disks, floppy disks, Zip and Jaz disks and many other types of rotating magnetic and optical data storage mediums.

Data Analysis

 The Rosewood Group uses tools and techniques that allow us to recover data other utilities and data recovery companies miss. More than simply recovering deleted files, our advanced tools and techniques allow us to defeat passwords, discern subtle patterns of computer usage and much more. Reconstructing an accurate history of computer activity and identifying the “signature” of user initiated actions requires an in depth  nderstanding of computer operating systems, file systems and disk storage subsystems. The Rosewood Group employs a standardized scientific methodology that has been  roven to be sound, effective and reliable. Optimized to anticipate a wide variety of legal foundation and theoretical challenges, our findings and opinions are virtually incontrovertible.