1. Initialization
LWG is retained upon service of subpoena or at the initiation of an investigation, at which time we work with the client to develop a comprehensive data discovery and analysis strategy.

After data sources have been identified, LWG’s experts rapidly collect data from the identified data sources, which may include floppy disc, CD, DVD, network server, email server, PC’s, Laptops, tape backup or other archival media.
If applicable, we also work with counsel to construct effective discovery requests, issue spoliation letters and further refine strategy.

2. Data collection
The collection of evidence/data can be conducted either in the field or in the lab, and can be a technically challenging phase of the forensic process. Given the seemingly endless configurations of hardware, the forensic investigator must be knowledgeable of hardware interconnection and troubleshooting in order to successfully gather the targeted data. Typically, this process involves the use of a hard disk drive unit to act as a collection vessel, but the use of tape and other mass-storage devices may also be used. It is of paramount importance to ensure that the data collected is of evidentiary quality; it must be a true bit-map image of the source and show verifiable proof that the original data has not been modified or altered in any way. Chain of custody documentation is typically initiated at this step.

3. Data integrity verification
This process is key in the assurance that the collection has been successful. Various software algorithms can be performed to ensure that the data collected is an identical copy of that which was targeted. Verification of the accuracy of the collected data should be performed prior to relinquishing control of the source media. Throughout the remaining portion of the analysis process, data integrity should be regularly confirmed.

4. Data analysis
The analysis of the collected evidence/data is done through close involvement of the client, so as to ensure an efficient use of time. During the analysis, keyword searches, deleted file recovery, targeted file searches, e-mail retrieval, and Internet history can be obtained. Data that is not relevant to the investigation or discovery request is eliminated to streamline the review process.  This is typically performed by a keyword search using a variety of industry-accepted tools. Files can also be de-duplicated, operating system and program files stripped from the original data set, expediting the review process even further. Searches can be specified by location, date or a myriad of other data elements.

5. Reporting
The results of the assessment and procedures utilized are recorded and conveyed in a detailed written report. Evidentiary findings are recorded and, if required, produced in printed form or to electronic media such as compact disk. It is through this report that the procedures utilized in the collection and analysis process are explained.

6. Evidence storage
The original data image, as well as all evidentiary findings, are secured for later reference or until instructed by the client to dispose of or return the material.

7. Court testimony
In the event the matter moves to litigation, LWG's experts are capable of presenting data in a way that judges and juries can understand. We can also provide expert testimony attesting to the admissibility of your evidence, or at times, the inadmissibility of the opposing party’s data.

Click the submit a case icon to upload your information for a free consulation.